Problem/Motivation

https://github.com/twigphp/Twig/releases/tag/v3.27.0

Twig once again has security vulnerabilities and Drupal pins the vulnerable versions, preventing composer from installing or updating Drupal.

Problem 1
- Root composer.json requires drupal/core-recommended ^11.3.10 -> satisfiable by drupal/core-recommended[11.3.10].
- drupal/core-recommended 11.3.10 requires twig/twig ~v3.26.0 -> found twig/twig[v3.26.0] but these were not loaded, because they are affected by security advisories ("PKSA-fbvq-z33h-r2np", "PKSA-g9zw-qxh8-pq8w", "PKSA-yd6k-t2gh-1m43", "PKSA-1tmc-rt7x-12w6", "PKSA-xx6c-6d96-db2w"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Steps to reproduce

  1. Install Drupal core using drupal/core-recommended 11.3.10.
  2. Run: composer audit
  3. Observe the vulnerabilities reported for twig/twig.
  4. Run: composer update twig/twig -W
  5. Observe that Composer cannot resolve dependencies because the vulnerable version is pinned by drupal/core-recommended.

Proposed resolution

Update the pinned twig/twig version in
drupal/core-recommended to a non-vulnerable release: v3.27.0

Also, we should consider what to do if this keeps happening more frequently. With AI being used more and more to find vulnerabilities, it's likely that the frequency of vulnerability fixes will increase.

Workaround

composer require "twig/twig": "v3.27.0 as v3.26.0"

Issue fork drupal-3592382

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

longwave created an issue. See original summary.

longwave opened merge request !15892

godotislate’s picture

godotislate
he/him
commented

Tested patch locally, works against main.

Diff does not apply to 11.x, so there'll likely need to be separate MRs for backports.

longwave opened merge request !15893

longwave opened merge request !15895

longwave opened merge request !15896

longwave opened merge request !15897

longwave opened merge request !15898

longwave opened merge request !15894

godotislate’s picture

godotislate
he/him
commented
Status: Active » Reviewed & tested by the community

MRs for main, 11.4.x, 11.3.x, 10.6.x all look good and passed.

  • 11.x failed on OpenTelemetryNodePagePerformanceTest, known to fail intermittently
  • 11.2.x has deprecation warnings and maybe a random failure?
  • 10.5.x failed on SettingsTrayBlockFormTest, also known to fail intermittently

lgtm, though we can rerun those jobs just in case.

  • catch committed 68cf8d51 on main 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate

  • catch committed b8f8871c on 11.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate

catch closed merge request !15895

  • catch committed f94f8bd3 on 11.2.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate

  • catch committed ea59f00a on 11.3.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate

  • catch committed 87592535 on 11.4.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate
(...
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

11.2 looks like random failures, rerunning

catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Needs work

Committed/pushed everything to the respective branches except the 10.5 MR which appears to have unrelated version changes in components.

Edit: so does 11.2.x but I apparently did not spot that one, reverted just until it's confirmed that should actually happen or for it to be fixed.

catch closed merge request !15892

catch closed merge request !15893

catch closed merge request !15896

catch closed merge request !15894

catch closed merge request !15897

  • catch committed 1c822ef7 on 11.2.x 
    Revert "task: #3592382 Update Twig to v3.27.0"

This reverts commit...
godotislate’s picture

godotislate
he/him
commented

I think 10.5 and 11.2 have additional changes because they weren't set back to dev previously?

longwave changed the visibility of the branch 3592382-update-twig-3.27-11.x to active.

longwave changed the visibility of the branch 3592382-update-twig-3.27-11.x to hidden.

godotislate’s picture

godotislate
he/him
commented

Yeah, there are no "Back to dev" commits on 11.2.x or 10.5.x after 11.2.12 and 10.5.10.

longwave changed the visibility of the branch 3592382-update-twig-3.27-11.2.x to active.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Reviewed & tested by the community

I think the merge part of the security tagging script doesn't quite do the correct thing in all cases. This means that 11.2.x and 10.5.x didn't correctly get their various composer.jsons reverted to the dev version. The changes in these branches bring them back in line with how they should be compared to the other branches, so this is the correct thing to do in order for us to do normal patch releases of all branches to bump the dependencies.

longwave reopened merge request !15896

  • catch committed 3210e3ef on 11.2.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate

  • catch committed b6200b97 on 10.5.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate
catch’s picture

catch
he/him
Primary language English
commented
Version: main » 10.5.x-dev
Status: Reviewed & tested by the community » Fixed

OK clarified that while the 11.2 and 10.5 MR changes were a slight oddity due to the security-only status of 11.2 and 10.5 and previous security releases, that they do in fact get us to the right place.

Committed/pushed to 11.2.x and 10.5.x, thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

solideogloria’s picture

solideogloria commented
Issue summary: View changes

Updated to have a more useful issue summary that includes info about the vulnerabilities and the workaround.

godotislate closed merge request !15896

godotislate closed merge request !15898

  • catch committed ad070561 on 10.6.x 
    task: #3592382 Update Twig to v3.27.0

By: longwave
By: godotislate
solideogloria’s picture

solideogloria commented
Issue tags: +Security