The problem should disappear when updating symfony/http-kernel. I don't think there is anything we can do to prevent this issue.

@xabbuh but according to the issue report:

it seems to be a mismatch between version 4.0.4 of HttpKernel and version 4.0.12 of HttpFoundation, because the method hasBeenStarted has been removed from Symfony\Component\HttpFoundation\Session\Session.

Is this correct? Was that method really removed in a patch version?

Yes, that was an internal one.

@nicwortel I've checked this and as @xabbuh and @nicolas-grekas said, this is sadly expected. As you can see in this line v4.0.11...v4.0.12#diff-6ea44a1c02e94a4394cbc7076fe26bbeL147 the removed method is marked as @internal, so there's no promise to keep it:

I'm afraid the only solution possible is to upgrade these two dependencies to the same version. We're closing this issue report for that reason. Thanks!

@javiereguiluz if it is internal, then why is it used by another component? What is Symfony's policy on this?

I don't know the fine print of this, but a quick review of our BC policy promise shows that none of it applies to anything marked as @internal. I'm sorry.

we may miss a "conflict" rule somewhere, but I would advise upgrading all components to 4.1.1 instead.

@javiereguiluz but the mistake was on our side. The internal HttpFoundation method was used by HttpKernel, not by the user.
so for this case, it is indeed too late as the release is already done. But it means we have to be more careful ourselves with our own cross-component usages of internal APIs.