[Security] Bump twig/twig from 2.6.2 to 2.7.4

[dependabot-preview[bot]]

Bumps twig/twig from 2.6.2 to 2.7.4. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/2019-03-12.yaml).* > **Sandbox Information Disclosure** > > Affected versions: <1.38.0; >=2.0.0, <2.7.0

Changelog

*Sourced from [twig/twig's changelog](https://github.com/twigphp/Twig/blob/2.x/CHANGELOG).* > * 2.7.4 (2019-03-23) > > * fixed variadic support > * fixed CheckToStringNode implementation (broken when a function/filter is variadic) > > * 2.7.3 (2019-03-21) > > * fixed the spaceless filter so that it behaves like the spaceless tag > * fixed BC break on Environment::resolveTemplate() > * allowed Traversable objects to be used in the "with" tag > * allowed Traversable objects to be used in the "with" tag > * allowed Traversable objects to be used in the "with" argument of the "include" and "embed" tags > > * 2.7.2 (2019-03-12) > > * added TemplateWrapper::getTemplateName() > > * 2.7.1 (2019-03-12) > > * fixed class aliases > > * 2.7.0 (2019-03-12) > > * fixed sandbox security issue (under some circumstances, calling the > __toString() method on an object was possible even if not allowed by the > security policy) > * fixed batch filter clobbers array keys when fill parameter is used > * added preserveKeys support for the batch filter > * fixed "embed" support when used from "template_from_string" > * deprecated passing a Twig\Template to Twig\Environment::load()/Twig\Environment::resolveTemplate() > * added the possibility to pass a TemplateWrapper to Twig\Environment::load() > * marked Twig\Environment::getTemplateClass() as internal (implementation detail) > * improved the performance of the sandbox > * deprecated the spaceless tag > * added a spaceless filter > * added max value to the "random" function > * deprecated Twig\Extension\InitRuntimeInterface > * deprecated Twig\Loader\ExistsLoaderInterface > * deprecated PSR-0 classes in favor of namespaced ones > * made namespace classes the default classes (PSR-0 ones are aliases now) > * added Twig\Loader\ChainLoader::getLoaders() > * removed duplicated directory separator in FilesystemLoader > * deprecated the "base_template_class" option on Twig\Environment > * deprecated the Twig\Environment::getBaseTemplateClass() and > Twig\Environment::setBaseTemplateClass() methods > * changed internal code to use the namespaced classes as much as possible > * deprecated Twig_Parser::isReservedMacroName()

Commits

- [`ed9c492`](https://github.com/twigphp/Twig/commit/ed9c49220e09bfaeb1ba4d48077c08a7b09908dd) prepared the 2.7.4 release - [`5b8178a`](https://github.com/twigphp/Twig/commit/5b8178a658e6b71c421e34572099b72d81324636) bug [#2914](https://github-redirect.dependabot.com/twigphp/Twig/issues/2914) Fix variadic support (fabpot) - [`b7e812a`](https://github.com/twigphp/Twig/commit/b7e812a917bd1dd84c070218bef9735d86c539ad) fixed variadic support - [`29852e4`](https://github.com/twigphp/Twig/commit/29852e41f026deb69a9ea499ea44511da4083a21) updated CHANGELOG - [`0cf5fbd`](https://github.com/twigphp/Twig/commit/0cf5fbd67661584c734f916be536bad21103e4cd) Merge branch '1.x' into 2.x - [`cdcef19`](https://github.com/twigphp/Twig/commit/cdcef195e9d4ad475a560a82968af615566510fa) bug [#2913](https://github-redirect.dependabot.com/twigphp/Twig/issues/2913) Fix CheckToStringNode implementation (fabpot) - [`e24f796`](https://github.com/twigphp/Twig/commit/e24f796b83fed1b223d7452a56b0bda28f671c29) fixed CheckToStringNode implementation - [`ce396b4`](https://github.com/twigphp/Twig/commit/ce396b4f80d570b2e4a07d3e75698ac9bd5217a8) Merge branch '1.x' into 2.x - [`4f77fd5`](https://github.com/twigphp/Twig/commit/4f77fd5b482c33d1dca60773f205ba7c8d41eda0) minor [#2912](https://github-redirect.dependabot.com/twigphp/Twig/issues/2912) Refactor the implementation of dump() (fabpot) - [`243021e`](https://github.com/twigphp/Twig/commit/243021e6909aa1a0198a781d46f86c2685c02880) refactored the implementation of dump() - Additional commits viewable in [compare view](https://github.com/twigphp/Twig/compare/v2.6.2...v2.7.4)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[dependabot-preview[bot]]

Superseded by #175.