Bumps twig/twig from 2.6.2 to 2.7.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/2019-03-12.yaml).*
> **Sandbox Information Disclosure**
>
> Affected versions: <1.38.0; >=2.0.0, <2.7.0
Changelog
*Sourced from [twig/twig's changelog](https://github.com/twigphp/Twig/blob/2.x/CHANGELOG).*
> * 2.7.0 (2019-03-12)
>
> * fixed sandbox security issue (under some circumstances, calling the
> __toString() method on an object was possible even if not allowed by the
> security policy)
> * fixed batch filter clobbers array keys when fill parameter is used
> * added preserveKeys support for the batch filter
> * fixed "embed" support when used from "template_from_string"
> * deprecated passing a Twig\Template to Twig\Environment::load()/Twig\Environment::resolveTemplate()
> * added the possibility to pass a TemplateWrapper to Twig\Environment::load()
> * marked Twig\Environment::getTemplateClass() as internal (implementation detail)
> * improved the performance of the sandbox
> * deprecated the spaceless tag
> * added a spaceless filter
> * added max value to the "random" function
> * deprecated Twig\Extension\InitRuntimeInterface
> * deprecated Twig\Loader\ExistsLoaderInterface
> * deprecated PSR-0 classes in favor of namespaced ones
> * made namespace classes the default classes (PSR-0 ones are aliases now)
> * added Twig\Loader\ChainLoader::getLoaders()
> * removed duplicated directory separator in FilesystemLoader
> * deprecated the "base_template_class" option on Twig\Environment
> * deprecated the Twig\Environment::getBaseTemplateClass() and
> Twig\Environment::setBaseTemplateClass() methods
> * changed internal code to use the namespaced classes as much as possible
> * deprecated Twig_Parser::isReservedMacroName()
Commits
- [`57bd838`](https://github.com/twigphp/Twig/commit/57bd838bb7a9368ecf8b19bbe9788090502d1615) prepared the 2.7.0 release
- [`ad7d274`](https://github.com/twigphp/Twig/commit/ad7d27425dffc763644de93da2262f69478c691b) Merge branch '1.x' into 2.x
- [`0f3af98`](https://github.com/twigphp/Twig/commit/0f3af98ef6e71929ad67fb6e5f3ad65777c1c4c5) security [#2885](https://github-redirect.dependabot.com/twigphp/Twig/issues/2885) Fix security issue in the sandbox (fabpot)
- [`34cccc7`](https://github.com/twigphp/Twig/commit/34cccc77f077bccb546d5471d9f7d34541d21037) Merge branch '1.x' into 2.x
- [`5e1a361`](https://github.com/twigphp/Twig/commit/5e1a3615bceaa913babe38a116b7ca1a40598f44) removed one usage of Template vs TemplateWrapper
- [`eac5422`](https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077) fixed security issue in the sandbox
- [`0e583c9`](https://github.com/twigphp/Twig/commit/0e583c9ee1c5cbd6f1c3e0b28447fa85b3428eb7) updated CHANGELOG
- [`a73bcb4`](https://github.com/twigphp/Twig/commit/a73bcb4afe4393d4be9c7c424bdef42e19e78668) Merge branch '1.x' into 2.x
- [`7e30569`](https://github.com/twigphp/Twig/commit/7e305693b0bb212082fd19df808a949d8b0ed72d) bug [#2884](https://github-redirect.dependabot.com/twigphp/Twig/issues/2884) Fix "batch filter clobbers array keys when fill parameter is used "...
- [`750cb23`](https://github.com/twigphp/Twig/commit/750cb237421a2210b677c8ae1f23096ce407714b) fixed batch filter clobbers array keys when fill parameter is used
- Additional commits viewable in [compare view](https://github.com/twigphp/Twig/compare/v2.6.2...v2.7.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps twig/twig from 2.6.2 to 2.7.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/2019-03-12.yaml).* > **Sandbox Information Disclosure** > > Affected versions: <1.38.0; >=2.0.0, <2.7.0Changelog
*Sourced from [twig/twig's changelog](https://github.com/twigphp/Twig/blob/2.x/CHANGELOG).* > * 2.7.0 (2019-03-12) > > * fixed sandbox security issue (under some circumstances, calling the > __toString() method on an object was possible even if not allowed by the > security policy) > * fixed batch filter clobbers array keys when fill parameter is used > * added preserveKeys support for the batch filter > * fixed "embed" support when used from "template_from_string" > * deprecated passing a Twig\Template to Twig\Environment::load()/Twig\Environment::resolveTemplate() > * added the possibility to pass a TemplateWrapper to Twig\Environment::load() > * marked Twig\Environment::getTemplateClass() as internal (implementation detail) > * improved the performance of the sandbox > * deprecated the spaceless tag > * added a spaceless filter > * added max value to the "random" function > * deprecated Twig\Extension\InitRuntimeInterface > * deprecated Twig\Loader\ExistsLoaderInterface > * deprecated PSR-0 classes in favor of namespaced ones > * made namespace classes the default classes (PSR-0 ones are aliases now) > * added Twig\Loader\ChainLoader::getLoaders() > * removed duplicated directory separator in FilesystemLoader > * deprecated the "base_template_class" option on Twig\Environment > * deprecated the Twig\Environment::getBaseTemplateClass() and > Twig\Environment::setBaseTemplateClass() methods > * changed internal code to use the namespaced classes as much as possible > * deprecated Twig_Parser::isReservedMacroName()Commits
- [`57bd838`](https://github.com/twigphp/Twig/commit/57bd838bb7a9368ecf8b19bbe9788090502d1615) prepared the 2.7.0 release - [`ad7d274`](https://github.com/twigphp/Twig/commit/ad7d27425dffc763644de93da2262f69478c691b) Merge branch '1.x' into 2.x - [`0f3af98`](https://github.com/twigphp/Twig/commit/0f3af98ef6e71929ad67fb6e5f3ad65777c1c4c5) security [#2885](https://github-redirect.dependabot.com/twigphp/Twig/issues/2885) Fix security issue in the sandbox (fabpot) - [`34cccc7`](https://github.com/twigphp/Twig/commit/34cccc77f077bccb546d5471d9f7d34541d21037) Merge branch '1.x' into 2.x - [`5e1a361`](https://github.com/twigphp/Twig/commit/5e1a3615bceaa913babe38a116b7ca1a40598f44) removed one usage of Template vs TemplateWrapper - [`eac5422`](https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077) fixed security issue in the sandbox - [`0e583c9`](https://github.com/twigphp/Twig/commit/0e583c9ee1c5cbd6f1c3e0b28447fa85b3428eb7) updated CHANGELOG - [`a73bcb4`](https://github.com/twigphp/Twig/commit/a73bcb4afe4393d4be9c7c424bdef42e19e78668) Merge branch '1.x' into 2.x - [`7e30569`](https://github.com/twigphp/Twig/commit/7e305693b0bb212082fd19df808a949d8b0ed72d) bug [#2884](https://github-redirect.dependabot.com/twigphp/Twig/issues/2884) Fix "batch filter clobbers array keys when fill parameter is used "... - [`750cb23`](https://github.com/twigphp/Twig/commit/750cb237421a2210b677c8ae1f23096ce407714b) fixed batch filter clobbers array keys when fill parameter is used - Additional commits viewable in [compare view](https://github.com/twigphp/Twig/compare/v2.6.2...v2.7.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.