Bump twig/twig from 3.24.0 to 3.26.0

[dependabot]

Bumps twig/twig from 3.24.0 to 3.26.0.

Release notes

Sourced from twig/twig's releases.

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

• feature #4795 Lazy load EscaperRuntime in EscaperExtension (@​GromNaN)
• feature #4800 Add a needs_is_sandboxed option for filters, functions, and tests (@​fabpot)
• bug #4797 Make embeds deterministic (@​itsalmostchristmas)

Changelog

Sourced from twig/twig's changelog.

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

Commits

• 1fcae48 Prepare the 3.26.0 release
• 40d4f8a Update CHANGELOG
• 116dae2 security #cve-2026-46627 Document that the sandbox doesn't protect against re...
• 6bfa285 Document that the sandbox doesn't protect against resource exhaustion
• 7923de1 security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (fab...
• 47ca88d security #cve-2026-46634 Document template_from_string caveats when used in a...
• 1cde8f2 Document template_from_string caveats when used in a sandboxed env
• 3190b9a Pre-escape HTML input on the spaceless filter
• b9e6e65 Add docs on Markup about the goal of this class in the context of a sandbox
• 673f02c security #cve-2026-46635 Fix sandbox bypass in the "column" filter (alexandre...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

This PR is being prevented from merging because it requires one of the following labels to be set: Bug 🐞, Dependencies 📦, Feature 🏗, Enhancement ✨, Deprecations 👋. These labels are required for automatic changelog generation.

[github-actions]

This PR is being prevented from merging because it requires one of the following labels to be set: Bug 🐞, Dependencies 📦, Feature 🏗, Enhancement ✨, Deprecations 👋. These labels are required for automatic changelog generation.

[github-actions]

This PR is being prevented from merging because it requires one of the following labels to be set: Bug 🐞, Dependencies 📦, Feature 🏗, Enhancement ✨, Deprecations 👋. These labels are required for automatic changelog generation.

[github-actions]

🏰 Composer Production Dependency changes 🏰

Prod Packages	Operation	Base	Target	Link
twig/twig	Upgraded	v3.24.0	v3.26.0	Compare