Skip to content

Build(deps): Bump twig/twig from 3.24.0 to 3.27.1#3090

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/twig/twig-3.27.1
Open

Build(deps): Bump twig/twig from 3.24.0 to 3.27.1#3090
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/twig/twig-3.27.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Bumps twig/twig from 3.24.0 to 3.27.1.

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

  • bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
  • bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

  • security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
  • security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
  • security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
  • security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
  • security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
  • feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
  • feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
  • bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
  • bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
  • bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
  • feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

  • Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
  • Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

  • Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
  • Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
  • Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
  • Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
  • Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
  • Escape root profile name in HtmlDumper
  • Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
  • Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
  • Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
  • Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
  • Fix sandbox __toString bypass via the in and not in operators
  • Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
  • Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
  • Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

  • Document that the sandbox doesn't protect against resource exhaustion
  • Document template_from_string caveats when used in a sandboxed environment
  • Add docs on Markup about the goal of this class in the context of a sandbox
  • Pre-escape HTML input on the spaceless filter
  • Pre-escape HTML input on inline_css and inky_to_html filters
  • Fix XSS by adjusting is_safe annotation on HTML-emitting filters
  • [Profiler] Escape template and profile names in HtmlDumper
  • Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
  • Fix sandbox bypass in the "column" filter
  • Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
  • Fix sandbox bypass: PHP code injection via {% use %} template name
  • Fix sandbox bypass: PHP code injection via _self / import macro reference
  • Fix sandbox bypass in object destructuring assignment
  • Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
  • Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
  • Fix sandbox __toString bypasses
  • Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

  • Add a needs_is_sandboxed option for filters, functions, and tests
  • Use deterministic suffixes for generated embed classes
  • Lazy-load EscaperRuntime in EscaperExtension
Commits
  • ae2071b Prepare the 3.27.1 release
  • 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
  • 8ec9530 Fix inconsistent array access with a Stringable key
  • dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
  • d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
  • 118938b Fix tests
  • 86f3b3a Bump version
  • 04ae1bf Prepare the 3.27.0 release
  • 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
  • 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Build(deps): Bump twig/twig from 3.24.0 to 3.27.1
4f8dc93 
Bumps [twig/twig](https://github.com/twigphp/Twig) from 3.24.0 to 3.27.1.
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.24.0...v3.27.1)

---
updated-dependencies:
- dependency-name: twig/twig
  dependency-version: 3.27.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added automerge dependencies Pull requests that update a dependency file labels Jun 5, 2026
@dependabot dependabot Bot mentioned this pull request Jun 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automerge dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants