Skip to content

build(deps-dev): bump twig/twig from 3.24.0 to 3.26.0#2376

Open
dependabot[bot] wants to merge 1 commit into
1.xfrom
dependabot/composer/twig/twig-3.26.0
Open

build(deps-dev): bump twig/twig from 3.24.0 to 3.26.0#2376
dependabot[bot] wants to merge 1 commit into
1.xfrom
dependabot/composer/twig/twig-3.26.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 20, 2026

Bumps twig/twig from 3.24.0 to 3.26.0.

Release notes

Sourced from twig/twig's releases.

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

  • security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
  • security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
  • security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
  • security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
  • security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
  • security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
  • security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
  • security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
  • security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
  • security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
  • security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
  • security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
  • security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

Changelog

Sourced from twig/twig's changelog.

3.26.0 (2026-05-20)

  • Document that the sandbox doesn't protect against resource exhaustion
  • Document template_from_string caveats when used in a sandboxed environment
  • Add docs on Markup about the goal of this class in the context of a sandbox
  • Pre-escape HTML input on the spaceless filter
  • Pre-escape HTML input on inline_css and inky_to_html filters
  • Fix XSS by adjusting is_safe annotation on HTML-emitting filters
  • [Profiler] Escape template and profile names in HtmlDumper
  • Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
  • Fix sandbox bypass in the "column" filter
  • Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
  • Fix sandbox bypass: PHP code injection via {% use %} template name
  • Fix sandbox bypass: PHP code injection via _self / import macro reference
  • Fix sandbox bypass in object destructuring assignment
  • Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
  • Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
  • Fix sandbox __toString bypasses
  • Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

  • Add a needs_is_sandboxed option for filters, functions, and tests
  • Use deterministic suffixes for generated embed classes
  • Lazy-load EscaperRuntime in EscaperExtension
Commits
  • 1fcae48 Prepare the 3.26.0 release
  • 40d4f8a Update CHANGELOG
  • 116dae2 security #cve-2026-46627 Document that the sandbox doesn't protect against re...
  • 6bfa285 Document that the sandbox doesn't protect against resource exhaustion
  • 7923de1 security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (fab...
  • 47ca88d security #cve-2026-46634 Document template_from_string caveats when used in a...
  • 1cde8f2 Document template_from_string caveats when used in a sandboxed env
  • 3190b9a Pre-escape HTML input on the spaceless filter
  • b9e6e65 Add docs on Markup about the goal of this class in the context of a sandbox
  • 673f02c security #cve-2026-46635 Fix sandbox bypass in the "column" filter (alexandre...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps-dev): bump twig/twig from 3.24.0 to 3.26.0
fe39860 
Bumps [twig/twig](https://github.com/twigphp/Twig) from 3.24.0 to 3.26.0.
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.24.0...v3.26.0)

---
updated-dependencies:
- dependency-name: twig/twig
  dependency-version: 3.26.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 20, 2026
@dependabot dependabot Bot requested a review from norberttech as a code owner May 20, 2026 09:12
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 20, 2026
@dependabot dependabot Bot mentioned this pull request May 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@norberttech norberttech Awaiting requested review from norberttech norberttech is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants