Update twig monorepo to v3.27.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
twig/twig (source)	3.26.0 → 3.27.1

---

Release Notes

twigphp/Twig (twig/twig)

v3.27.1

Compare Source

• Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
• Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

v3.27.0

Compare Source

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

composer.lock

Package	Version	License	Issue Type
twig/twig	3.27.1	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
composer/twig/twig	3.27.1	Unknown	Unknown

Scanned Files

• composer.lock

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud