Update dependency twig/twig to v3.19.0 [SECURITY]

[titouanmathis]

This PR contains the following updates:

Package	Type	Update	Change
twig/twig (source)	require	minor	3.14.2 -> 3.19.0
twig/twig (source)	require	minor	3.18.0 -> 3.19.0

---

Twig security issue where escaping was missing when using null coalesce operator

CVE-2025-24374 / GHSA-3xg3-cgvq-2xwr

More information

Details

When using the ?? operator, output escaping was missing for the expression on the left side of the operator.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr
• https://nvd.nist.gov/vuln/detail/CVE-2025-24374
• https://github.com/twigphp/Twig/commit/38576b12f05df3cc871bf68f39ccb46b418334a3
• https://github.com/twigphp/Twig

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

twigphp/Twig (twig/twig)

v3.19.0

Compare Source

• Fix a security issue where escaping was missing when using ??
• Deprecate Token::getType(), use Token::test() instead
• Add Token::toEnglish()
• Add ForElseNode
• Deprecate Twig\ExpressionParser::parseOnlyArguments() and
  Twig\ExpressionParser::parseArguments() (use
  Twig\ExpressionParser::parseNamedArguments() instead)
• Fix constant() behavior when used with ??
• Add the invoke filter
• Make {} optional for the types tag
• Add LastModifiedExtensionInterface and implementation in AbstractExtension to track modification of runtime classes
• Ignore static properties when using the dot operator

v3.18.0

Compare Source

• Fix unary operator precedence change
• Ignore SyntaxError exceptions from undefined handlers when using the guard tag
• Add a way to stream template rendering (TemplateWrapper::stream() and TemplateWrapper::streamBlock())

v3.17.1

Compare Source

• Fix the null coalescing operator when the test returns null
• Fix the Elvis operator when used as '? :' instead of '?:'
• Support for invoking closures

v3.17.0

Compare Source

• Fix ArrayAccess with objects as keys
• Support underscores in number literals
• Deprecate ConditionalExpression and NullCoalesceExpression (use ConditionalTernary and NullCoalesceBinary instead)

v3.16.0

Compare Source

• Deprecate InlinePrint
• Fix having macro variables starting with an underscore
• Deprecate not passing a Source instance to TokenStream
• Deprecate returning null from TwigFilter::getSafe() and TwigFunction::getSafe(), return [] instead

v3.15.0

Compare Source

• [BC BREAK] Add support for accessing class constants with the dot operator;
  this can be a BC break if you don't use UPPERCASE constant names
• Add Spanish inflector support for the plural and singular filters in the String extension
• Deprecate TempNameExpression in favor of LocalVariable
• Deprecate NameExpression in favor of ContextVariable
• Deprecate AssignNameExpression in favor of AssignContextVariable
• Remove MacroAutoImportNodeVisitor
• Deprecate MethodCallExpression in favor of MacroReferenceExpression
• Fix support for the "is defined" test on _self.xxx (auto-imported) macros
• Fix support for the "is defined" test on inherited macros
• Add named arguments support for the dot operator arguments (foo.bar(some: arg))
• Add named arguments support for macros
• Add a new guard tag that allows to test if some Twig callables are available at compilation time
• Allow arrow functions everywhere
• Deprecate passing a string or an array to Twig callable arguments accepting arrow functions (pass a \Closure)
• Add support for triggering deprecations for future operator precedence changes
• Deprecate using the not unary operator in an expression with *, /, //, or % without using explicit parentheses to clarify precedence
• Deprecate using the ?? binary operator without explicit parentheses
• Deprecate using the ~ binary operator in an expression with + or - without using parentheses to clarify precedence
• Deprecate not passing AbstractExpression args to most constructor arguments for classes extending AbstractExpression
• Fix power expressions with a negative number in parenthesis ((-1) ** 2)
• Deprecate instantiating Node directly. Use EmptyNode or Nodes instead.
• Add support for inline comments
• Add Profile::getStartTime() and Profile::getEndTime()
• Fix "ignore missing" when used on an "embed" tag
• Fix the possibility to override an aliased block (via use)
• Add template cache hot reload
• Allow Twig callable argument names to be free-form (snake-case or camelCase) independently of the PHP callable signature
  They were automatically converted to snake-cased before
• Deprecate the attribute function; use the . notation and wrap the name with parenthesis instead
• Add support for argument unpackaging
• Add JSON support for the file extension escaping strategy
• Support Markup instances (and any other \Stringable) as dynamic mapping keys
• Deprecate the sandbox tag
• Improve the way one can deprecate a Twig callable (use deprecation_info instead of the other callable options)
• Add the enum function
• Add support for logical xor operator

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[titouanmathis]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update twig/twig:3.19.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - pestphp/pest is locked to version v2.36.0 and an update of this package was not requested.
    - brianium/paratest v7.3.1 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.3) does not satisfy that requirement.
    - pestphp/pest v2.36.0 requires brianium/paratest ^7.3.1 -> satisfiable by brianium/paratest[v7.3.1].

[github-actions]

Export Size

Unchanged

@studiometa/ui

Name	Size	Diff
AbstractPrefetch	337 B	-
AbstractScrollAnimation	3.35 kB	-
AbstractSliderChild	2.96 kB	-
Accordion	1.77 kB	-
AccordionItem	1.75 kB	-
Action	897 B	-
AnchorNav	3.51 kB	-
AnchorNavLink	3.39 kB	-
AnchorNavTarget	125 B	-
AnchorScrollTo	2.37 kB	-
animationScrollWithEase	648 B	-
CircularMarquee	543 B	-
Cursor	650 B	-
DataBind	644 B	-
DataComputed	781 B	-
DataEffect	761 B	-
DataModel	722 B	-
Draggable	266 B	-
Figure	1.55 kB	-
FigureShopify	1.8 kB	-
FigureTwicpics	2.09 kB	-
FigureVideo	1.71 kB	-
FigureVideoTwicpics	2.27 kB	-
Frame	2.75 kB	-
FrameAnchor	108 B	-
FrameForm	112 B	-
FrameTarget	1.57 kB	-
LargeText	707 B	-
LazyInclude	322 B	-
Menu	2.18 kB	-
MenuBtn	145 B	-
MenuList	1.78 kB	-
Modal	1.99 kB	-
ModalWithTransition	2.09 kB	-
Panel	2.37 kB	-
PrefetchWhenOver	386 B	-
PrefetchWhenVisible	400 B	-
ScrollAnimation	3.41 kB	-
ScrollAnimationChild	3.53 kB	-
ScrollAnimationChildWithEase	4.08 kB	-
ScrollAnimationParent	3.59 kB	-
ScrollAnimationWithEase	3.95 kB	-
ScrollReveal	1.46 kB	-
Sentinel	129 B	-
Slider	2.79 kB	-
SliderBtn	3.12 kB	-
SliderCount	3.01 kB	-
SliderDots	3.95 kB	-
SliderDrag	269 B	-
SliderItem	1.16 kB	-
SliderProgress	3.04 kB	-
Sticky	764 B	-
TableOfContent	2.83 kB	-
TableOfContentAnchor	2.64 kB	-
Tabs	1.38 kB	-
Target	86 B	-
Transition	1.24 kB	-
withDeprecation	166 B	-
withTransition	1.22 kB	-

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.78%. Comparing base (da1bced) to head (e278502).
Report is 2 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #354   +/-   ##
========================================
  Coverage    79.78%   79.78%           
========================================
  Files           92       92           
  Lines         3205     3205           
  Branches       324      324           
========================================
  Hits          2557     2557           
  Misses         648      648           

Flag	Coverage Δ
unittests	79.78% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.