Twig 3.19.0 update blocked by core dependencies

Created on 30 January 2025, 24 days ago

Problem/Motivation

Reference: Twig security issue where escaping was missing when using null coalesce operator.
https://github.com/advisories/GHSA-3xg3-cgvq-2xwr

Attempting to update twig/twig to version 3.19.0 results in dependency conflicts with Drupal core and related packages.

Current Dependencies Blocking Update

composer why twig/twig

chi-teck/drupal-code-generator 4.1.0 requires twig/twig (^3.4)
drupal/core 11.1.1 requires twig/twig (^3.15.0)
drupal/core-recommended 11.1.1 requires twig/twig (~v3.16.0)
drupal/twig_tweak 3.4.0 requires twig/twig (^3.10.3)
symfony/http-kernel v7.2.3 conflicts twig/twig (<3.12)

Steps to reproduce

Run the following command to update Twig:
composer require twig/twig:^3.19.0 --with-all-dependencies

Composer fails with dependency conflicts related to drupal/core-recommended, twig_tweak, and chi-teck/drupal-code-generator.

Proposed resolution

Update drupal/core-recommended to support twig/twig:^3.19.0.

Ensure compatibility updates for dependent modules like drupal/twig_tweak and chi-teck/drupal-code-generator.
Review and align with symfony/http-kernel requirements.

Remaining tasks

Identify necessary updates to drupal/core-recommended and related packages.
Investigate if other modules/extensions are affected.
Create/update patches to allow twig/twig:^3.19.0.
Test compatibility after updates

User interface changes

None expected.

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.1 🔥

Component

composer

Created by

🇬🇧United Kingdom harpade

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024