Problem/Motivation

From the symfony blog:
Twig 3.26.0 is a security release fixing 13 advisories, with two rated critical, three high, four medium, and four low. Almost all of them target the sandbox, the component that lets applications run untrusted templates under an explicit allow-list of tags, filters, functions, properties, and methods. All users running untrusted templates through the sandbox should upgrade immediately.

When I try to update a composer package in my Drupal 11.3.9 project:

Updating dependencies                                 
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires drupal/core-recommended 11.3.9 -> satisfiable by drupal/core-recommended[11.3.9].
    - drupal/core-recommended 11.3.9 requires twig/twig ~v3.22.0 -> found twig/twig[v3.22.0, v3.22.1, v3.22.2] but these were not loaded, because they are affected by security advisories ("PKSA-5k7f-wvjj-jrgw", "PKSA-sjvz-tbbr-vwth", "PKSA-h8hf-ytnd-5t9q", "PKSA-wwb1-81rc-pd65", "PKSA-kvv6-36cr-fkzb", "PKSA-n14z-jjjg-g8vd", "PKSA-3mcc-k66d-pydb", "PKSA-gw7n-z4yx-7xjt", "PKSA-dpx1-78wg-1kqs", "PKSA-21g2-dzjv-sky5"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
CommentFileSizeAuthor
#4 3591057-update-twig-3.26.0.patch61.83 KBmukeshaddweb

Issue fork drupal-3591057

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

flyke created an issue. See original summary.

flyke’s picture

flyke commented
Component: theme system » base system
Priority: Major » Critical
flyke’s picture

flyke commented

Temporary workaround for those that need to finish a project today but are stuck on this:
composer require twig/twig:'3.26 as 3.22.3'
Don't assume everything works after that, test rigorously.
In my Drupal 11.3.9 project using canvas and other contrib and custom modules, everything seems to be working.

mukeshaddweb’s picture

mukeshaddweb commented
Status: Active » Needs review
StatusFileSize
new 3591057-update-twig-3.26.0.patch61.83 KB

Updated twig/twig from ~v3.22.0 to ~v3.26.0 to address 13 security advisories
(2 critical). Updated constraints in composer.json, core/composer.json,
composer/Metapackage/CoreRecommended/composer.json, and composer.lock.

Tested: ran PHPUnit Twig template tests — all 107 tests pass.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Fixes should be in MRs please

solideogloria made their first commit to this issue’s fork.

solideogloria’s picture

solideogloria commented
Status: Needs work » Needs review

solideogloria opened merge request !15828

solideogloria’s picture

solideogloria commented

I did not just apply the patch. I made the changes myself, and they aren't necessarily the same as the patch.

solideogloria’s picture

solideogloria commented

I will also venture a guess that this is probably one of the issues that will be fixed by today's Highly Critical security release (PSA-2026-05-18).

kiwad’s picture

kiwad commented
Status: Needs review » Needs work

Patch in 4 seems weird...

adds drush to core ?

solideogloria’s picture

solideogloria commented
Status: Needs work » Needs review

That's why I didn't use the patch.

Please review the MR (which is different), not the patch.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

But MR is failing the pipeline

solideogloria’s picture

solideogloria commented
Status: Needs work » Needs review

I don't think that's related...

Using FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 30m0s...
Waiting for pod gitlab-runner/runner-s8ex1x2yj-project-213091-concurrent-1-m5e4macx to be running on the node , status is Pending
Unschedulable: "0/2 nodes are available: 2 node(s) didn't match Pod's node affinity/selector. preemption: 0/2 nodes are available: 2 Preemption is not helpful for scheduling."
Waiting for pod gitlab-runner/runner-s8ex1x2yj-project-213091-concurrent-1-m5e4macx to be running on the node , status is Pending
Unschedulable: "0/2 nodes are available: 2 node(s) didn't match Pod's node affinity/selector. preemption: 0/2 nodes are available: 2 Preemption is not helpful for scheduling."
Waiting for pod gitlab-runner/runner-s8ex1x2yj-project-213091-concurrent-1-m5e4macx to be running on the node , status is Pending
Unschedulable: "0/3 nodes are available: 1 node(s) had untolerated taint {node.kubernetes.io/not-ready: }, 2 node(s) didn't match Pod's node affinity/selector. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling."
Running on runner-s8ex1x2yj-project-213091-concurrent-1-m5e4macx via gitlab-runner-68fc75c9b5-gs4gw...

Is there a way to rerun the whole pipeline?

solideogloria’s picture

solideogloria commented
Status: Needs review » Needs work

Can someone figure out what's wrong with the pipeline? There are no helpful error messages that I can find.

swentel’s picture

swentel commented

These fixes will be included in the upcoming release normally, see https://drupal.community/@drupalsecurity/116607161332319890 - so this should be fine in the end.

solideogloria’s picture

solideogloria commented
Status: Needs work » Closed (duplicate)

Okay, will close as duplicate.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.