Bump the composer group across 1 directory with 2 updates

[dependabot]

Bumps the composer group with 2 updates in the / directory: symfony/yaml and twig/twig.

Updates symfony/yaml from 6.4.12 to 6.4.40

Release notes

Sourced from symfony/yaml's releases.

v6.4.40

Changelog (symfony/yaml@v6.4.39...v6.4.40)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v6.4.39

Changelog (symfony/yaml@v6.4.38...v6.4.39)

• bug #64196 Reject non-stringables when using "!!binary" (@​nicolas-grekas)

v6.4.38

Changelog (symfony/yaml@v6.4.34...v6.4.38)

• bug #64119 fix flow collection drops &anchor and !!str &anchor items (@​ousamabenyounes)

v6.4.34

Changelog (symfony/yaml@v6.4.33...v6.4.34)

• bug #57292 Fix parsing nested mappings in sequences (@​HypeMC)

v6.4.30

Changelog (symfony/yaml@v6.4.29...v6.4.30)

• bug symfony/symfony#62612 [Yaml] Fix regression handling blank lines in unquoted scalars (@​yoeunes)
• bug symfony/symfony#62409 [Yaml] Align unquoted multiline scalar parsing with spec for comments (@​yoeunes)
• bug symfony/symfony#62359 [Yaml] Fix parsing of unquoted multiline scalars with comments or blank lines (@​yoeunes)

v6.4.26

Changelog (symfony/yaml@v6.4.25...v6.4.26)

• bug symfony/symfony#61855 [DoctrineBridge][Yaml] don't cast strings exceeding the min/max int ranges (@​xabbuh)

v6.4.25

Changelog (symfony/yaml@v6.4.24...v6.4.25)

• bug symfony/symfony#61520 [Yaml] Fix scope resolution operator in flow mapping keys (@​MatTheCat)

v6.4.24

Changelog (symfony/yaml@v6.4.23...v6.4.24)

• no significant changes

v6.4.23

Changelog (symfony/yaml@v6.4.22...v6.4.23)

• bug symfony/symfony#60648 [Yaml] fix support for years outside of the 32b range on x86 arch on PHP 8.4 (@​nicolas-grekas)

v6.4.21

... (truncated)

Commits

• 68dcd1f Merge branch '5.4' into 6.4
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• e4fb993 [Yaml] Reject non-stringables when using "!!binary"
• b02ba66 [Yaml] Bound recursion depth in the parser
• f8d2f4a [Yaml] fix flow collection drops &anchor and !!str &anchor items
• 323ed2d CS fixes - native_function_invocation & static_lambda
• f33e2fb Backport some CS fixes from 7.4
• fe7a693 [CS] Back config from 8.1 and apply heredoc_indentation rule
• 7bca30d [Yaml] Fix parsing nested mappings in sequences
• Additional commits viewable in compare view

Updates twig/twig from 3.18.0 to 3.27.1

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

• bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
• bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

• security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
• security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
• security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
• security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
• security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
• feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
• feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
• bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
• bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
• bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
• feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

• feature #4795 Lazy load EscaperRuntime in EscaperExtension (@​GromNaN)
• feature #4800 Add a needs_is_sandboxed option for filters, functions, and tests (@​fabpot)
• bug #4797 Make embeds deterministic (@​itsalmostchristmas)

v3.24.0

Changelog (twigphp/Twig@v3.23.0...v3.24.0)

• feature #3930 Add an html_attr function to make outputting HTML attributes easier (@​mpdude, @​polarbirke)
• bug #4778 Fix null coalescing operator with imported macros (@​fabpot)

... (truncated)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

• Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
• Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

3.24.0 (2026-03-17)

... (truncated)

Commits

• ae2071b Prepare the 3.27.1 release
• 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
• 8ec9530 Fix inconsistent array access with a Stringable key
• dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
• d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
• 118938b Fix tests
• 86f3b3a Bump version
• 04ae1bf Prepare the 3.27.0 release
• 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
• 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.