Skip to content

fix(deps-dev): Update twig/twig requirement from ^3.0 to ^3.28#26

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/twig/twig-tw-3.28
Open

fix(deps-dev): Update twig/twig requirement from ^3.0 to ^3.28#26
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/twig/twig-tw-3.28

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown

Updates the requirements on twig/twig to permit the latest version.

Release notes

Sourced from twig/twig's releases.

v3.28.0

Changelog (twigphp/Twig@v3.27.1...v3.28.0)

  • bug #4850 Render backed enums using their backing value in the html_attr function (@​fabpot)
  • minor #4845 Add documention note about variable scope of override blocks in { embed ... only } (@​andy-blum)
  • minor #4843 Define macros at the template root in the cache macro fixture (@​fabpot)
  • bug #4841 Fix Markup truthiness in boolean expressions (@​xtrime-ru)
  • bug #4842 Fix a PHP 8.5 chr() deprecation when decoding octal string escapes (@​austinderrick)
  • feature #4292 Introduce a CorrectnessNodeVisitor to validate that templates are semantically correct (@​fabpot)
  • feature #4840 Mark Markup as final (@​fabpot)
  • feature #4838 Allow calling a macro with a dynamic name via the dot operator (@​fabpot)
  • bug #4835 Fix markdown_to_html mangling content that starts with a blank line (@​fabpot)
  • feature #4819 Add an allow-list for tests to the sandbox security policy (@​fabpot)
  • minor #4837 Reduce memory usage of the context restoration compiled at the end of for loops (@​fabpot)
  • feature #4816 Add an always_allowed_in_sandbox flag for filters, functions, and tags (@​fabpot)
  • feature #4834 Track the source offset of each token and expose it in syntax errors (@​fabpot)
  • minor #4836 Document how to customize the markdown_to_html converter (@​fabpot)
  • minor #4662 CoreExtension::getAttribute: small improvement regarding getter/isser/hasser (@​gharlan)
  • bug #4825 Make the include() function return a Markup object (@​fabpot)
  • bug #4830 Fix nested block() resolution when a directly rendered block calls parent() (@​fabpot)
  • minor #4827 Document {#--#} as the replacement for the deprecated spaceless filter (@​fabpot)
  • bug #4828 Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run (@​fabpot)
  • minor #4829 Document storing an enum in a variable to avoid repeating its FQCN (@​fabpot)
  • bug #4824 Cast printed expressions to string so values that cannot be converted to a string (arrays, non-Stringable objects, ...) report a usable stack trace at the print location (@​stof, @​fabpot)
  • feature #4826 Make IntegrationTestCase and NodeTestCase compatible with PHPUnit 11 (@​fabpot)
  • feature #4823 Skip the sandbox __toString check on arguments whose PHP parameter type cannot implicitly coerce to string (@​fabpot)
Changelog

Sourced from twig/twig's changelog.

3.28.0 (2026-07-03)

  • Render backed enums using their backing value in the html_attr function
  • Fix empty Markup values being treated as truthy in and, or, xor, not, ternary, and elvis expressions
  • Fix a PHP 8.5 chr() deprecation when decoding an octal string escape sequence larger than \377 (such as "\777")
  • Mark Twig\Markup as @final; it will be final in Twig 4.0
  • Reduce memory usage and speed up the context restoration compiled at the end of for loops
  • Allow calling a macro with a dynamic name via the dot operator (macros.(name)(args))
  • Report the column number in syntax errors and expose it via Error::getTemplateColumn()
  • Track the source offset of each token and expose it via Token::getOffset()
  • Fix nested block() calls to resolve against the overriding template when a block rendered through block(name, template) calls parent()
  • Deprecate the possibility to use a block tag within a capture node (like set)
  • Deprecate the possibility to use a block tag within a capture node (like set) in child templates
  • Deprecate using a macro, extends, or use tag outside the root of a template
  • Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run
  • Fix markdown_to_html to strip the indentation shared by all lines instead of mangling content that starts with a blank line
  • Make the IntegrationTestCase and NodeTestCase test helpers compatible with PHPUnit 11
  • Cast printed expressions to string so values that cannot be converted to a string (arrays, non-Stringable objects, ...) report a usable stack trace at the print location
  • Make the include() function return a Markup object so an assigned result is not re-escaped when printed
  • Skip the sandbox __toString check on arguments whose PHP parameter type cannot implicitly coerce to string
  • Document the criteria for marking a callable or tag as always allowed in a sandbox, and the list of built-in tags, filters, and functions that will be always allowed in Twig 4.0
  • Add an always_allowed_in_sandbox option for filters, functions, and tests, and an isAlwaysAllowedInSandbox() method for token parsers, to let authors mark callables and tags that are always allowed in sandbox mode without explicit allow-listing
  • Add an allow-list for tests to Twig\Sandbox\SecurityPolicy, with the safe built-in tests flagged as always allowed so they keep working without allow-listing

3.27.1 (2026-05-30)

  • Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
  • Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

  • Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
  • Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
  • Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
  • Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
  • Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
  • Escape root profile name in HtmlDumper
  • Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
  • Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
  • Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
  • Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
  • Fix sandbox __toString bypass via the in and not in operators
  • Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
  • Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
  • Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

  • Document that the sandbox doesn't protect against resource exhaustion
  • Document template_from_string caveats when used in a sandboxed environment

... (truncated)

Commits
  • 597c12e Prepare the 3.28.0 release
  • 6a175a5 bug #4850 Render backed enums using their backing value in the html_attr func...
  • 9323a82 Render backed enums using their backing value in the html_attr function
  • ec0f5d5 Tweak previous merge
  • 4007231 minor #4845 Add documention note about variable scope of override blocks in {...
  • 068a2e6 Add documention note about variable scope of override blocks in {% embed ... ...
  • f6152fe minor #4843 Define macros at the template root in the cache macro fixture (fa...
  • 424d2f1 Define the macro at the template root in the cache macro fixture
  • e3b8e15 Update CHANGELOG
  • 2f202b0 bug #4841 Fix Markup truthiness in boolean expressions (xtrime-ru)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [twig/twig](https://github.com/twigphp/Twig) to permit the latest version.
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.0.0...v3.28.0)

---
updated-dependencies:
- dependency-name: twig/twig
  dependency-version: 3.28.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: composer, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants