Version 4.0.5


Release Date: Not released


4.0.5 release of CodeIgniter4



  • New URL helper function url_to() which creates absolute URLs based on controllers.
  • New Model option: $useAutoIncrement which when set to false allows you to provide your own primary key for each record in the table. Handy when we want to implement 1:1 relation or use UUIDs for our model.
  • New URL helper function url_is() which allows you to check the current URL to see if matches the given string.
  • Services now have their config parameters strictly typehinted. This will ensure no one will pass a different config instance. If you need to pass a new config with additional properties, you need to extend that particular config.
  • Support for setting SameSite attribute on Session and CSRF cookies has been added. For security and compatibility with latest browser versions, the default setting is Lax.


  • System messages defined in system/Language/en/ are now strictly for internal framework use and are not covered by backwards compatibility (BC) promise. Users may use these messages in their applications but at their own risks.

Bugs Fixed:

  • Fixed a bug in Entity class where declaring class parameters was preventing data propagation to the attributes array.
  • Handling for the environment variable encryption.key has changed. Previously, explicit function calls, like getenv('encryption.key') or env('encryption.key') where the value has the special prefix hex2bin: returns an automatically converted binary string. This is now changed to just return the character string with the prefix. This change was due to incompatibility with handling binary strings in environment variables on Windows platforms. However, accessing $key using Encryption class config remains unchanged and still returns a binary string.


  • Deprecated BaseCommand::getPad in favor of BaseCommand::setPad.
  • Deprecated CodeIgniter\Controller::loadHelpers in favor of helper function.
  • Deprecated Config\Format::getFormatter in favor of CodeIgniter\Format\Format::getFormatter
  • Deprecated CodeIgniter\Security\Security::CSRFVerify in favor of CodeIgniter\Security\Security::verify
  • Deprecated CodeIgniter\Security\Security::getCSRFHash in favor of CodeIgniter\Security\Security::getHash
  • Deprecated CodeIgniter\Security\Security::getCSRTokenName in favor of CodeIgniter\Security\Security::getCSRTokenName
  • Deprecated Config\App::$CSRFTokenName in favor of Config\Security::$tokenName
  • Deprecated Config\App::$CSRFHeaderName in favor of Config\Security::$headerName
  • Deprecated Config\App::$CSRFCookieName in favor of Config\Security::$cookieName
  • Deprecated Config\App::$CSRFExpire in favor of Config\Security::$expire
  • Deprecated Config\App::$CSRFRegenerate in favor of Config\Security::$regenerate
  • Deprecated Config\App::$CSRFRedirect in favor of Config\Security::$redirect
  • Deprecated Config\App::$CSRFSameSite in favor of Config\Security::$samesite
  • Deprecated migrate:create command in favor of make:migration command.
  • Deprecated CodeIgniter\Database\ModelFactory in favor of CodeIgniter\Config\Factories::models()
  • Deprecated CodeIgniter\Config\Config in favor of CodeIgniter\Config\Factories::config()
  • Deprecated CodeIgniter\HTTP\Message::getHeader in favor of header() to prepare for PSR-7
  • Deprecated CodeIgniter\HTTP\Message::getHeaders in favor of headers() to prepare for PSR-7