Limit Twig versions on 8.3.x

Alternative solution would be to get Composer-managed projects to use webflo/drupal-core-strict. Of course, not all (few?) projects will be using this at the moment, so directly modifying composer.json as is done here is a good idea.

c.f.: https://github.com/drupal-composer/drupal-project/pull/264

Composer seems to have some problems using drupal-core-strict in some instances. See notes in the issues linked from the PR above for details.

Could we look at fixing BC regressions upstream? One was committed recently I noticed.

Hopping to move forward but may this patch is meant to be a stopgap?

Could we look at fixing BC regressions upstream?

I totally agree we should work with the twigphp community to fix these versions upstream. In the meantime though it is useful to not introduce problems for existing nites.

In general I believe that explicit specifying which versino of a package Drupal relies it in order to function correctly is a good idea.

The only small fear I have: When we limit the core version here, we will have a problem potentially when there is a security issue coming out.

@dawehner well right now we have a huge problem if a twig security bug occurs. We'd probably have to fork and merge the fix to our supported version :(

Well either that or we include composer patches. Would that be a feasible alternative?

Patching seems like a good approach to big security bugs, but for regressions in the 1.x Twig specific problem, fixing upstream regressions seems better because leave upstream open for improvements and bug fixes. If upstream isn't receptive to our changes then maybe this is the correct approach, but this would be similar to the forking idea just a stale fork(with bits of food left from dinner on it).

The upstream bugs have been fixed.