[5.x]: Could not update from Craft 4 to Craft 5 because of Twig package security issues

[grasmachien]

What happened?

Description

Problem 1
- Root composer.json requires craftcms/cms 5.10.1 -> satisfiable by craftcms/cms[5.10.1].
- craftcms/cms 5.10.1 requires twig/twig ~3.24.0 -> found twig/twig[v3.24.0] but these were not loaded, because they are affected by security advisories ("PKSA-5k7f-wvjj-jrgw", "PKSA-sjvz-tbbr-vwth", "PKSA-h8hf-ytnd-5t9q", "PKSA-wwb1-81rc-pd65", "PKSA-hgmw-wn4d-hpcy", "PKSA-kvv6-36cr-fkzb", "PKSA-n14z-jjjg-g8vd", "PKSA-3mcc-k66d-pydb", "PKSA-gw7n-z4yx-7xjt", "PKSA-dpx1-78wg-1kqs", "PKSA-21g2-dzjv-sky5"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

I managed to work around it by adding "block-insecure": false to my composer.json.

Craft CMS version

4 -> 5

PHP version

8.4

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

[linear-code]

CMS-2110

[krafttoast]

Had the same issue

Twig 3.26.0 is out with today which should resolve the issue gracefully

@grasmachien
you can also remove "block-insecure": false from your composer.json and run

ddev composer update --no-security-blocking or
composer update --no-blocking

Prevents you from forgetting to remove "block-insecure": false from the composer.json after the issue is resolved

[brandonkelly]

Thanks for reporting that! Craft 5.10.2 is out now with Twig 3.26.