Skip to content

[Conductor] Update twig/twig to v3.27.0#1745

Closed
private-packagist[bot] wants to merge 1 commit into
mainfrom
conductor-twig-twig-75584
Closed

[Conductor] Update twig/twig to v3.27.0#1745
private-packagist[bot] wants to merge 1 commit into
mainfrom
conductor-twig-twig-75584

Conversation

@private-packagist
Copy link
Copy Markdown
Contributor

@private-packagist private-packagist Bot commented May 27, 2026

This PR was automatically generated by Conductor.

The PR contains the changes generated by running the following command:

composer update twig/twig:v3.27.0 --with-all-dependencies --minimal-changes

Changelog

twig/twig (Source: GitHub Releases))

v3.27.0

Changelog (v3.26.0...v3.27.0)

  • security #​558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
  • security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
  • security #​552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
  • security #​535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
  • security #​534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
  • feature #​4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
  • feature #​4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
  • bug #​4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
  • bug #​4807 Escape root profile name in HtmlDumper (@​fabpot)
  • bug #​4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
  • feature #​4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

Task options

If you close the PR, the task will be skipped and Conductor will schedule the next task. Clicking the "Skip" button in the UI has the same effect. Conductor won't attempt to update the dependency to this exact version again but it will schedule updates to newer versions.

Powered by Private Packagist

@private-packagist
Update twig/twig to v3.27.0
f5d2aba 
Conductor executed the following commands:
composer update twig/twig:v3.27.0 --with-all-dependencies --minimal-changes
@private-packagist
Copy link
Copy Markdown
Contributor Author

private-packagist Bot commented May 27, 2026

composer.lock

Package changes

Package Operation From To About
twig/twig upgrade v3.26.0 v3.27.0 diff

Settings · Docs · Powered by Private Packagist

@private-packagist
Copy link
Copy Markdown
Contributor Author

private-packagist Bot commented May 27, 2026

The pull request for this task was closed by Conductor because a newer package version is available or the dependencies have already been updated.

@private-packagist private-packagist Bot deleted the conductor-twig-twig-75584 branch May 27, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants