Update Twig to 3.5.0

Hi @chi,

I ran composer show on twig/twig package it says it's at v1.42.3 already?

Do we need to still update it?

➜  drupal git:(8.9.x) ✗ composer show | grep twig
twig/twig                            v1.42.3            Twig, the flexible, fast, and secure template language for PHP

Meantime patch upgrades twig to v1.42.4

D9 is using Twig 2.x; so this is definitely a D8.9 target; however, I guess there should be an issue with updating all the dependencies

So, this patch must update the required minimal twig version alone; and should not touch composer.lock(s). See #3122112: Update dependencies for Drupal 8.9

The question is what minimum version we would like to require: 1.41 or newer

I think 1.41 is a good start, based on the issue description. Although 1.43.0 is out already, which we could use as a minimum. It drops php 5 and 7.0 support, but drupal 8.9 doesn't support those either so that shouldn't be a problem.

Uploading a patch with 1.41 for now (removed composer.lock changes), just so I can use it in a project.

re-purposed the issue for current upgrade as it was outdated

- 3.5.0 is the current latest version https://packagist.org/packages/twig/twig
- Patch only updates twig/twig to that version
- TestBot is happily green

RTBC for me.

Committed/pushed to 10.1.x, thanks!

We wouldn't normally update to a minor version of a dependency in a patch version of core, but it would help us if there's a security release probably, so leaving open for discussion. Maybe we could update but continue allowing the older version in composer.json?

I've opened a new issue for the 9.5 update since it'll need its own release note and etc. #3330465: Update Twig to 2.15.4.

We should consider asking them if they'd backport the PHP 8 compatibility fixes to Twig 3.4 before we backport a minor update to 10.0.x.

I've looked at https://github.com/twigphp/Twig/compare/v3.4.3...v3.5.0 and I think it is safe to update to 3.5.0 in the next patch release of Drupal. There are only additions and I couldn't spot any deprecations of changes that are consequential in terms of API change.

In that's case, let's do a lockfile-only update for 10.0.x now, before the patch release, with the Composer command to update core-recommended in the release notes.

Here's a patch for Drupal 10.0.x.

As per @xjm no change to core/composer.json so people can keep on the old minor if necessary.

RTBC if TestBot agrees

Wrote a proper release note.

Committed the backport to 10.0.x. Thanks!

This change is covered by the standard minor release note of:

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.
Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.