TechWilk / rota

Web-based rota management with email reminders.
7 stars 2 forks source link

[Security] Bump twig/twig from 2.6.2 to 2.7.2 #166

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps twig/twig from 2.6.2 to 2.7.2. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/2019-03-12.yaml).* > **Sandbox Information Disclosure** > > Affected versions: <1.38.0; >=2.0.0, <2.7.0 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/85db744a-db42-4e6d-899e-0de42a806ae6).* > **[CVE-2001-1361] Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly related to i...** > Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly related to incorrect security rights and/or the generation of mailto links. > > Affected versions: <= 2.7.1
Changelog *Sourced from [twig/twig's changelog](https://github.com/twigphp/Twig/blob/2.x/CHANGELOG).* > * 2.7.2 (2019-03-12) > > * added TemplateWrapper::getTemplateName() > > * 2.7.1 (2019-03-12) > > * fixed class aliases > > * 2.7.0 (2019-03-12) > > * fixed sandbox security issue (under some circumstances, calling the > __toString() method on an object was possible even if not allowed by the > security policy) > * fixed batch filter clobbers array keys when fill parameter is used > * added preserveKeys support for the batch filter > * fixed "embed" support when used from "template_from_string" > * deprecated passing a Twig\Template to Twig\Environment::load()/Twig\Environment::resolveTemplate() > * added the possibility to pass a TemplateWrapper to Twig\Environment::load() > * marked Twig\Environment::getTemplateClass() as internal (implementation detail) > * improved the performance of the sandbox > * deprecated the spaceless tag > * added a spaceless filter > * added max value to the "random" function > * deprecated Twig\Extension\InitRuntimeInterface > * deprecated Twig\Loader\ExistsLoaderInterface > * deprecated PSR-0 classes in favor of namespaced ones > * made namespace classes the default classes (PSR-0 ones are aliases now) > * added Twig\Loader\ChainLoader::getLoaders() > * removed duplicated directory separator in FilesystemLoader > * deprecated the "base_template_class" option on Twig\Environment > * deprecated the Twig\Environment::getBaseTemplateClass() and > Twig\Environment::setBaseTemplateClass() methods > * changed internal code to use the namespaced classes as much as possible > * deprecated Twig_Parser::isReservedMacroName()
Commits - [`70c5953`](https://github.com/twigphp/Twig/commit/70c59531da43afe598c66135e39cac39475a2f51) prepared the 2.7.2 release - [`4718c92`](https://github.com/twigphp/Twig/commit/4718c92548d35b034b2adbd9f03e257f8953befb) Merge branch '1.x' into 2.x - [`c0d5991`](https://github.com/twigphp/Twig/commit/c0d5991cf7dc101cd06fe4e0afe05ce064eb3273) feature [#2893](https://github-redirect.dependabot.com/twigphp/Twig/issues/2893) Add TemplateWrapper::getTemplateName() (fabpot) - [`861066e`](https://github.com/twigphp/Twig/commit/861066e50bf636d88b5ad2e6d80efccdc1faa55a) added TemplateWrapper::getTemplateName() - [`b59a77e`](https://github.com/twigphp/Twig/commit/b59a77e8846e098cf7e98f65582a887178df7cc1) bumped version to 2.7.2-DEV - [`c0dd4dc`](https://github.com/twigphp/Twig/commit/c0dd4dc5f44e541c9c0e0506da76aa4f14b41c69) prepared the 2.7.1 release - [`b0d8cd7`](https://github.com/twigphp/Twig/commit/b0d8cd7788393e5ae0156b97d1c0377644d4a56c) bumped version to 1.38.2-DEV - [`88fc6d1`](https://github.com/twigphp/Twig/commit/88fc6d1454141680f7be8c0f6700a49c7c21637c) prepared the 1.38.1 release - [`2e72beb`](https://github.com/twigphp/Twig/commit/2e72beba5a2f99929bbfaf074a0de496bb23aac0) updated CHANGELOG - [`94887ff`](https://github.com/twigphp/Twig/commit/94887ffc158706a5eb1c2ede5847d5b9cca4f185) Merge branch '1.x' into 2.x - Additional commits viewable in [compare view](https://github.com/twigphp/Twig/compare/v2.6.2...v2.7.2)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
dependabot-preview[bot] commented 5 years ago

Superseded by #169.