Skip to content

Bump twig/twig from 3.22.0 to 3.27.1#128

Merged
Rom1-B merged 1 commit into
mainfrom
dependabot/composer/twig/twig-3.27.1
Jun 4, 2026
Merged

Bump twig/twig from 3.22.0 to 3.27.1#128
Rom1-B merged 1 commit into
mainfrom
dependabot/composer/twig/twig-3.27.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited
Loading

Bumps twig/twig from 3.22.0 to 3.27.1.

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

  • bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
  • bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

  • security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
  • security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
  • security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
  • security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
  • security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
  • feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
  • feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
  • bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
  • bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
  • bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
  • feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

v3.24.0

Changelog (twigphp/Twig@v3.23.0...v3.24.0)

... (truncated)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

  • Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
  • Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

  • Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
  • Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
  • Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
  • Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
  • Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
  • Escape root profile name in HtmlDumper
  • Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
  • Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
  • Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
  • Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
  • Fix sandbox __toString bypass via the in and not in operators
  • Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
  • Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
  • Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

  • Document that the sandbox doesn't protect against resource exhaustion
  • Document template_from_string caveats when used in a sandboxed environment
  • Add docs on Markup about the goal of this class in the context of a sandbox
  • Pre-escape HTML input on the spaceless filter
  • Pre-escape HTML input on inline_css and inky_to_html filters
  • Fix XSS by adjusting is_safe annotation on HTML-emitting filters
  • [Profiler] Escape template and profile names in HtmlDumper
  • Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
  • Fix sandbox bypass in the "column" filter
  • Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
  • Fix sandbox bypass: PHP code injection via {% use %} template name
  • Fix sandbox bypass: PHP code injection via _self / import macro reference
  • Fix sandbox bypass in object destructuring assignment
  • Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
  • Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
  • Fix sandbox __toString bypasses
  • Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

  • Add a needs_is_sandboxed option for filters, functions, and tests
  • Use deterministic suffixes for generated embed classes
  • Lazy-load EscaperRuntime in EscaperExtension

3.24.0 (2026-03-17)

... (truncated)

Commits
  • ae2071b Prepare the 3.27.1 release
  • 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
  • 8ec9530 Fix inconsistent array access with a Stringable key
  • dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
  • d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
  • 118938b Fix tests
  • 86f3b3a Bump version
  • 04ae1bf Prepare the 3.27.0 release
  • 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
  • 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jun 4, 2026
@Rom1-B Rom1-B requested review from Rom1-B and stonebuzz June 4, 2026 07:11
@stonebuzz
Copy link
Copy Markdown
Contributor

stonebuzz commented Jun 4, 2026

@dependabot rebase

@dependabot
Bump twig/twig from 3.22.0 to 3.27.1
86a3f70 
Bumps [twig/twig](https://github.com/twigphp/Twig) from 3.22.0 to 3.27.1.
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.22.0...v3.27.1)

---
updated-dependencies:
- dependency-name: twig/twig
  dependency-version: 3.27.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/composer/twig/twig-3.27.1 branch from 13837e0 to 86a3f70 Compare June 4, 2026 07:22
@Rom1-B Rom1-B merged commit f81c04b into main Jun 4, 2026
3 checks passed
@Rom1-B Rom1-B deleted the dependabot/composer/twig/twig-3.27.1 branch June 4, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stonebuzz stonebuzz stonebuzz approved these changes

@Rom1-B Rom1-B Awaiting requested review from Rom1-B

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stonebuzz @Rom1-B