Bump the php-prod group across 1 directory with 9 updates

[dependabot]

Bumps the php-prod group with 8 updates in the / directory:

Package	From	To
doctrine/doctrine-bundle	2.18.1	2.18.3
doctrine/orm	3.5.8	3.6.7
jms/translation-bundle	2.6.0	2.7.0
nelmio/security-bundle	3.6.0	3.9.0
pagerfanta/pagerfanta	4.7.2	4.8.0
ramsey/uuid	4.9.2	4.9.3
twig/extra-bundle	3.22.2	3.24.0
twig/intl-extra	3.22.1	3.26.0

Updates doctrine/doctrine-bundle from 2.18.1 to 2.18.3

Release notes

Sourced from doctrine/doctrine-bundle's releases.

2.18.3

Release Notes for 2.18.3

2.18.x bugfix release (patch)

2.18.3

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 3

Bugfixes

• 2120: Fix attribute driver mapping pass compatibility with ORM 3 thanks to @​bobvandevijver

CI

• 2223: Bump the doctrine group with 6 updates thanks to @​dependabot[bot]

Documentation

• 2194: Fix typo in dbal.connections.default&[#95](https://github.com/doctrine/DoctrineBundle/issues/95);dbname configuration thanks to @​Kocal

2.18.2

Release Notes for 2.18.2

2.18.x bugfix release (patch)

2.18.2

• Total issues resolved: 0
• Total pull requests resolved: 9
• Total contributors: 4

Bugfixes

• 2171: Detect bundles containing only MappedSuperclass annotations thanks to @​jtattevin

Documentation

• 2173: Document command remapping thanks to @​greg0ire

CI

• 2168: Bump actions/upload-artifact from 5 to 6 thanks to @​dependabot[bot]
• 2167: Bump actions/download-artifact from 6 to 7 thanks to @​dependabot[bot]
• 2149: Bump doctrine/.github/.github/workflows/composer-lint.yml from 12.2.0 to 13.1.0 thanks to @​dependabot[bot]

... (truncated)

Commits

• 241d61f Bump codecov/codecov-action from 6 to 7
• d1013c3 remove form related services if the Form component is not installed
• 1f7d0d5 Merge pull request #2228 from MatTheCat/lazy_entity_listener
• e13fb5b Remove mention of lazy entity listeners
• 79dd830 use complete version numbers in PHP requirements
• 7a26a24 Merge pull request #2223 from doctrine/dependabot/github_actions/2.18.x/doctr...
• 67d0146 Bump the doctrine group with 6 updates
• 78f87b5 Bump codecov/codecov-action from 5 to 6
• e09da41 Bump the doctrine group with 2 updates
• cafee79 Bump ramsey/composer-install from 3 to 4
• Additional commits viewable in compare view

Updates doctrine/orm from 3.5.8 to 3.6.7

Release notes

Sourced from doctrine/orm's releases.

3.6.7

This release contains the changes from https://github.com/doctrine/orm/releases/tag/2.20.13

3.6.6

Release Notes for 3.6.6

3.6.x bugfix release (patch)

3.6.6

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 1

Bugfixes

• 12477: Avoid adding the same foreign key twice for STI thanks to @​greg0ire
• 12476: Address string default expression deprecation thanks to @​greg0ire

CI

• 12475: Use correct matrix element name thanks to @​greg0ire

3.6.5

Release Notes for 3.6.5

3.6.x bugfix release (patch)

3.6.5

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bugfixes

• 12365: fix: allow findby strings thanks to @​vvaswani

3.6.4

Release Notes for 3.6.4

3.6.x bugfix release (patch)

3.6.4

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 3

Bugfixes

... (truncated)

Commits

• bc217c0 Merge pull request #12486 from greg0ire/3.6.x
• e75a435 Merge remote-tracking branch 'origin/2.20.x' into 3.6.x
• f525f32 Merge pull request #12482 from greg0ire/fix-el-formatting
• 4689337 Avoid passing arrays to get_class
• 471b129 Merge pull request #12477 from greg0ire/avoid-overwrite
• f2530f2 Merge pull request #12476 from greg0ire/def-expr-depr
• 18977e0 Avoid adding the same foreign key twice for STI
• 54b4f4b Address string default expression deprecation
• 8b64c10 Merge pull request #12475 from greg0ire/fix-job-labels
• fdea8dc Use correct matrix element name
• Additional commits viewable in compare view

Updates jms/translation-bundle from 2.6.0 to 2.7.0

Release notes

Sourced from jms/translation-bundle's releases.

2.7.0

What's Changed

• Fixed Symfony 7.4 incompatibility by @​Steveb-p in schmittjoh/JMSTranslationBundle#623

Full Changelog: schmittjoh/JMSTranslationBundle@2.6.0...2.7.0

Commits

• 826b292 Merge pull request #623 from Steveb-p/fix-symfony-7.4-validator-extractor
• 63e82c7 Enforce PHPStan version 11 to resolve conflict with simple-phpunit
• eea34b2 Updated CI runner
• 08a480b Use interface instead of implementation
• 74143f9 Fixed Symfony 7.4 incompatibility
• 7ae5197 Fixed Symfony 7.4 incompatibility
• See full diff in compare view

Updates nelmio/security-bundle from 3.6.0 to 3.9.0

Release notes

Sourced from nelmio/security-bundle's releases.

v3.9.0

What's Changed

• Added PHPUnit assertions for security headers and update testing documentation by @​Spomky in nelmio/NelmioSecurityBundle#389

Full Changelog: nelmio/NelmioSecurityBundle@v3.8.0...v3.9.0

v3.8.0

What's Changed

• Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP) by @​Spomky in nelmio/NelmioSecurityBundle#372

Full Changelog: nelmio/NelmioSecurityBundle@v3.7.0...v3.8.0

v3.7.0

What's Changed

• Added support for Symfony 8 nelmio/NelmioSecurityBundle#386
• Update development dependencies to latest versions nelmio/NelmioSecurityBundle#388
• Fixed many docs issues (#376 #375 #383 #382 #384)

Full Changelog: nelmio/NelmioSecurityBundle@v3.6.0...v3.7.0

Commits

• 86dd4d1 Merge pull request #389 from Spomky/feature/test-assertions
• 0dc7667 feat(tests): Add PHPUnit assertions for security headers and update testing d...
• 2fafee1 Merge pull request #372 from Spomky/features/cross-origin-policy
• 63da27e Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)
• 9389ec2 Merge pull request #388 from Spomky/deps-update
• a0eac15 chore(ci): Add Symfony 8.5 to the continuous integration matrix
• d702968 chore(deps): Update PHPStan and PHPUnit versions in composer.json
• a1f20ea Merge pull request #386 from damienalexandre/symfony8
• ee3d9f1 fix(ci): Bump Symfony 7 to 7.3 minimum
• f42af6e feat(upgrade): Bump allowed Symfony version to 8
• Additional commits viewable in compare view

Updates pagerfanta/pagerfanta from 4.7.2 to 4.8.0

Changelog

Sourced from pagerfanta/pagerfanta's changelog.

4.8.0 (2026-01-22)

• Add support for doctrine/collections 3.x

Commits

• 72881e6 Fix selectable adapter tests
• cc9f93e Fix tests
• f8e6483 Update GHA
• d25f34e Add support for doctrine/collections 3.x
• 1a18358 Rector
• 55352dc Update fixer config, tweak comments
• 71c616c Bump dev tools
• 3043e9d Add PHP 8.5 build, fix bypass config, allow Symfony 8 for dev
• 91249e4 Update 5.x requirement
• See full diff in compare view

Updates ramsey/uuid from 4.9.2 to 4.9.3

Release notes

Sourced from ramsey/uuid's releases.

4.9.3

Fixed

• Upgrade brick/math to support versions ^0.14 to ^0.17; fixed in #638.
• Add support for brick/match ^0.18.

New Contributors

• @​delolmo made their first contribution in ramsey/uuid#638

Full Changelog: ramsey/uuid@4.9.2...4.9.3

Changelog

Sourced from ramsey/uuid's changelog.

4.9.3 - 2026-06-18

Fixed

• Upgrade brick/math to support versions ^0.14 to ^0.17; fixed in #638.
• Add support for brick/match ^0.18.

Commits

• 1df1584 Prepare release 4.9.3
• 5525d34 Upgrade PHPStan to 2.2 and remove superfluous assertion
• 0d95f9e Support brick/math 0.18
• 1a1f98b [4.x] Upgrade brick/math to support versions ^0.14–^0.17 (#638)
• 3d1c6d9 chore(deps): bump codecov/codecov-action from 5 to 6
• 39d47ce chore(deps): bump ramsey/composer-install from 3 to 4
• See full diff in compare view

Updates twig/extra-bundle from 3.22.2 to 3.24.0

Release notes

Sourced from twig/extra-bundle's releases.

v3.24.0

Changelog (twigphp/twig-extra-bundle@v3.23.0...v3.24.0)

• no significant changes

v3.23.0

No release notes provided.

Commits

• 6a621fc Fix CS
• 7a27e78 minor #4718 Add .gitignore & .gitattributes to all .gitattributes (jmsche)
• 8f6488a Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/intl-extra from 3.22.1 to 3.26.0

Release notes

Sourced from twig/intl-extra's releases.

v3.26.0

Changelog (twigphp/intl-extra@v3.23.0...v3.26.0)

• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)

v3.24.0

Changelog (twigphp/intl-extra@v3.23.0...v3.24.0)

• no significant changes

v3.23.0

No release notes provided.

Commits

• 98f5ad5 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• 32f15a3 Add null-safe operator
• d79645e Fix intl-extra tests
• c5da148 Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/twig from 3.22.2 to 3.27.1

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

• bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
• bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

• security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
• security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
• security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
• security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
• security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
• feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
• feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
• bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
• bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
• bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
• feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

• feature #4795 Lazy load EscaperRuntime in EscaperExtension (@​GromNaN)
• feature #4800 Add a needs_is_sandboxed option for filters, functions, and tests (@​fabpot)
• bug #4797 Make embeds deterministic (@​itsalmostchristmas)

v3.24.0

Changelog (twigphp/Twig@v3.23.0...v3.24.0)

• feature #3930 Add an html_attr function to make outputting HTML attributes easier (@​mpdude, @​polarbirke)
• bug #4778 Fix null coalescing operator with imported macros (@​fabpot)

... (truncated)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

• Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
• Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

3.24.0 (2026-03-17)

... (truncated)

Commits

• ae2071b Prepare the 3.27.1 release
• 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
• 8ec9530 Fix inconsistent array access with a Stringable key
• dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
• d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
• 118938b Fix tests
• 86f3b3a Bump version
• 04ae1bf Prepare the 3.27.0 release
• 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
• 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions