build(deps): Bump twig/twig from 3.24.0 to 3.27.1

[dependabot]

Bumps twig/twig from 3.24.0 to 3.27.1.

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

• bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
• bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

• security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
• security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
• security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
• security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
• security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
• feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
• feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
• bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
• bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
• bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
• feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

• feature #4795 Lazy load EscaperRuntime in EscaperExtension (@​GromNaN)
• feature #4800 Add a needs_is_sandboxed option for filters, functions, and tests (@​fabpot)
• bug #4797 Make embeds deterministic (@​itsalmostchristmas)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

• Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
• Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

Commits

• ae2071b Prepare the 3.27.1 release
• 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
• 8ec9530 Fix inconsistent array access with a Stringable key
• dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
• d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
• 118938b Fix tests
• 86f3b3a Bump version
• 04ae1bf Prepare the 3.27.0 release
• 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
• 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: main. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.