Skip to content

Bump the php-prod group across 1 directory with 2 updates#516

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/php-prod-9caea104f5
Open

Bump the php-prod group across 1 directory with 2 updates#516
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/php-prod-9caea104f5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the php-prod group with 2 updates in the / directory: guzzlehttp/guzzle and twig/twig.

Updates guzzlehttp/guzzle from 7.12.3 to 7.13.2

Release notes

Sourced from guzzlehttp/guzzle's releases.

7.13.2

Fixed

  • Stop the cURL multi handler busy-waiting on request delays shorter than one second
  • Stop cURL HEAD requests with request bodies hanging on responses that declare a content length
  • The cURL handler no longer transmits request bodies on HEAD requests
  • Preserve response headers when a response includes HTTP trailers
  • Harden cURL response header block detection when HTTP trailers are received
  • Corrected the PSR-7 class names in the Pool iterator exception
  • Redirect body rewind failures no longer leak a bare RuntimeException

7.13.1

Fixed

  • Allow middleware to rewrite partial URIs before transports validate them

7.13.0

Added

  • Added the crypto_method_max request option to cap the maximum TLS protocol version
  • Added HTTP QUERY redirect support, preserving method and body on 301 and 302

Changed

  • Section proxy tunnel connection reuse by credential so distinct credentials never share a tunnel
  • Isolate concurrent foreign cURL proxy tunnels added while another owner's tunnel is active
  • Route credentialed HTTP(S) proxy Proxy-Authorization headers through cURL proxy header handling
  • Reject request-level CURLOPT_SHARE when combined with authenticated HTTP/HTTPS proxy tunnel configuration
  • Remove deprecation for raw cURL CURLOPT_PREREQFUNCTION callbacks when defined by PHP cURL
  • Route TLS 1.2 crypto_method requests to the stream handler when cURL cannot select TLS 1.2
  • Reject final request URIs missing a scheme or host before transfer

Deprecated

  • Deprecate invalid protocols, force_ip_resolve, delay, cookies, and allow_redirects values
Changelog

Sourced from guzzlehttp/guzzle's changelog.

7.13.2 - 2026-07-05

Fixed

  • Stop the cURL multi handler busy-waiting on request delays shorter than one second
  • Stop cURL HEAD requests with request bodies hanging on responses that declare a content length
  • The cURL handler no longer transmits request bodies on HEAD requests
  • Preserve response headers when a response includes HTTP trailers
  • Harden cURL response header block detection when HTTP trailers are received
  • Corrected the PSR-7 class names in the Pool iterator exception
  • Redirect body rewind failures no longer leak a bare RuntimeException

7.13.1 - 2026-06-29

Fixed

  • Allow middleware to rewrite partial URIs before transports validate them

7.13.0 - 2026-06-29

Added

  • Added the crypto_method_max request option to cap the maximum TLS protocol version
  • Added HTTP QUERY redirect support, preserving method and body on 301 and 302

Changed

  • Section proxy tunnel connection reuse by credential so distinct credentials never share a tunnel
  • Isolate concurrent foreign cURL proxy tunnels added while another owner's tunnel is active
  • Route credentialed HTTP(S) proxy Proxy-Authorization headers through cURL proxy header handling
  • Reject request-level CURLOPT_SHARE when combined with authenticated HTTP/HTTPS proxy tunnel configuration
  • Remove deprecation for raw cURL CURLOPT_PREREQFUNCTION callbacks when defined by PHP cURL
  • Route TLS 1.2 crypto_method requests to the stream handler when cURL cannot select TLS 1.2
  • Reject final request URIs missing a scheme or host before transfer

Deprecated

  • Deprecate invalid protocols, force_ip_resolve, delay, cookies, and allow_redirects values
Commits

Updates twig/twig from 3.27.1 to 3.28.0

Release notes

Sourced from twig/twig's releases.

v3.28.0

Changelog (twigphp/Twig@v3.27.1...v3.28.0)

  • bug #4850 Render backed enums using their backing value in the html_attr function (@​fabpot)
  • minor #4845 Add documention note about variable scope of override blocks in { embed ... only } (@​andy-blum)
  • minor #4843 Define macros at the template root in the cache macro fixture (@​fabpot)
  • bug #4841 Fix Markup truthiness in boolean expressions (@​xtrime-ru)
  • bug #4842 Fix a PHP 8.5 chr() deprecation when decoding octal string escapes (@​austinderrick)
  • feature #4292 Introduce a CorrectnessNodeVisitor to validate that templates are semantically correct (@​fabpot)
  • feature #4840 Mark Markup as final (@​fabpot)
  • feature #4838 Allow calling a macro with a dynamic name via the dot operator (@​fabpot)
  • bug #4835 Fix markdown_to_html mangling content that starts with a blank line (@​fabpot)
  • feature #4819 Add an allow-list for tests to the sandbox security policy (@​fabpot)
  • minor #4837 Reduce memory usage of the context restoration compiled at the end of for loops (@​fabpot)
  • feature #4816 Add an always_allowed_in_sandbox flag for filters, functions, and tags (@​fabpot)
  • feature #4834 Track the source offset of each token and expose it in syntax errors (@​fabpot)
  • minor #4836 Document how to customize the markdown_to_html converter (@​fabpot)
  • minor #4662 CoreExtension::getAttribute: small improvement regarding getter/isser/hasser (@​gharlan)
  • bug #4825 Make the include() function return a Markup object (@​fabpot)
  • bug #4830 Fix nested block() resolution when a directly rendered block calls parent() (@​fabpot)
  • minor #4827 Document {#--#} as the replacement for the deprecated spaceless filter (@​fabpot)
  • bug #4828 Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run (@​fabpot)
  • minor #4829 Document storing an enum in a variable to avoid repeating its FQCN (@​fabpot)
  • bug #4824 Cast printed expressions to string so values that cannot be converted to a string (arrays, non-Stringable objects, ...) report a usable stack trace at the print location (@​stof, @​fabpot)
  • feature #4826 Make IntegrationTestCase and NodeTestCase compatible with PHPUnit 11 (@​fabpot)
  • feature #4823 Skip the sandbox __toString check on arguments whose PHP parameter type cannot implicitly coerce to string (@​fabpot)
Changelog

Sourced from twig/twig's changelog.

3.28.0 (2026-07-03)

  • Render backed enums using their backing value in the html_attr function
  • Fix empty Markup values being treated as truthy in and, or, xor, not, ternary, and elvis expressions
  • Fix a PHP 8.5 chr() deprecation when decoding an octal string escape sequence larger than \377 (such as "\777")
  • Mark Twig\Markup as @final; it will be final in Twig 4.0
  • Reduce memory usage and speed up the context restoration compiled at the end of for loops
  • Allow calling a macro with a dynamic name via the dot operator (macros.(name)(args))
  • Report the column number in syntax errors and expose it via Error::getTemplateColumn()
  • Track the source offset of each token and expose it via Token::getOffset()
  • Fix nested block() calls to resolve against the overriding template when a block rendered through block(name, template) calls parent()
  • Deprecate the possibility to use a block tag within a capture node (like set)
  • Deprecate the possibility to use a block tag within a capture node (like set) in child templates
  • Deprecate using a macro, extends, or use tag outside the root of a template
  • Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run
  • Fix markdown_to_html to strip the indentation shared by all lines instead of mangling content that starts with a blank line
  • Make the IntegrationTestCase and NodeTestCase test helpers compatible with PHPUnit 11
  • Cast printed expressions to string so values that cannot be converted to a string (arrays, non-Stringable objects, ...) report a usable stack trace at the print location
  • Make the include() function return a Markup object so an assigned result is not re-escaped when printed
  • Skip the sandbox __toString check on arguments whose PHP parameter type cannot implicitly coerce to string
  • Document the criteria for marking a callable or tag as always allowed in a sandbox, and the list of built-in tags, filters, and functions that will be always allowed in Twig 4.0
  • Add an always_allowed_in_sandbox option for filters, functions, and tests, and an isAlwaysAllowedInSandbox() method for token parsers, to let authors mark callables and tags that are always allowed in sandbox mode without explicit allow-listing
  • Add an allow-list for tests to Twig\Sandbox\SecurityPolicy, with the safe built-in tests flagged as always allowed so they keep working without allow-listing
Commits
  • 597c12e Prepare the 3.28.0 release
  • 6a175a5 bug #4850 Render backed enums using their backing value in the html_attr func...
  • 9323a82 Render backed enums using their backing value in the html_attr function
  • ec0f5d5 Tweak previous merge
  • 4007231 minor #4845 Add documention note about variable scope of override blocks in {...
  • 068a2e6 Add documention note about variable scope of override blocks in {% embed ... ...
  • f6152fe minor #4843 Define macros at the template root in the cache macro fixture (fa...
  • 424d2f1 Define the macro at the template root in the cache macro fixture
  • e3b8e15 Update CHANGELOG
  • 2f202b0 bug #4841 Fix Markup truthiness in boolean expressions (xtrime-ru)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the php-prod group with 2 updates in the / directory: [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) and [twig/twig](https://github.com/twigphp/Twig).


Updates `guzzlehttp/guzzle` from 7.12.3 to 7.13.2
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/7.14/CHANGELOG.md)
- [Commits](guzzle/guzzle@7.12.3...7.13.2)

Updates `twig/twig` from 3.27.1 to 3.28.0
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.27.1...v3.28.0)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
  dependency-version: 7.13.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: twig/twig
  dependency-version: 3.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants