Bump the php-prod group across 1 directory with 8 updates

[dependabot]

Bumps the php-prod group with 7 updates in the / directory:

Package	From	To
doctrine/doctrine-bundle	2.18.1	2.18.3
doctrine/orm	3.5.8	3.6.7
jms/translation-bundle	2.6.0	2.7.0
nelmio/security-bundle	3.6.0	3.9.0
pagerfanta/pagerfanta	4.7.2	4.8.0
twig/extra-bundle	3.22.2	3.24.0
twig/intl-extra	3.22.1	3.26.0

Updates doctrine/doctrine-bundle from 2.18.1 to 2.18.3

Release notes

Sourced from doctrine/doctrine-bundle's releases.

2.18.3

Release Notes for 2.18.3

2.18.x bugfix release (patch)

2.18.3

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 3

Bugfixes

• 2120: Fix attribute driver mapping pass compatibility with ORM 3 thanks to @​bobvandevijver

CI

• 2223: Bump the doctrine group with 6 updates thanks to @​dependabot[bot]

Documentation

• 2194: Fix typo in dbal.connections.default&[#95](https://github.com/doctrine/DoctrineBundle/issues/95);dbname configuration thanks to @​Kocal

2.18.2

Release Notes for 2.18.2

2.18.x bugfix release (patch)

2.18.2

• Total issues resolved: 0
• Total pull requests resolved: 9
• Total contributors: 4

Bugfixes

• 2171: Detect bundles containing only MappedSuperclass annotations thanks to @​jtattevin

Documentation

• 2173: Document command remapping thanks to @​greg0ire

CI

• 2168: Bump actions/upload-artifact from 5 to 6 thanks to @​dependabot[bot]
• 2167: Bump actions/download-artifact from 6 to 7 thanks to @​dependabot[bot]
• 2149: Bump doctrine/.github/.github/workflows/composer-lint.yml from 12.2.0 to 13.1.0 thanks to @​dependabot[bot]

... (truncated)

Commits

• 241d61f Bump codecov/codecov-action from 6 to 7
• d1013c3 remove form related services if the Form component is not installed
• 1f7d0d5 Merge pull request #2228 from MatTheCat/lazy_entity_listener
• e13fb5b Remove mention of lazy entity listeners
• 79dd830 use complete version numbers in PHP requirements
• 7a26a24 Merge pull request #2223 from doctrine/dependabot/github_actions/2.18.x/doctr...
• 67d0146 Bump the doctrine group with 6 updates
• 78f87b5 Bump codecov/codecov-action from 5 to 6
• e09da41 Bump the doctrine group with 2 updates
• cafee79 Bump ramsey/composer-install from 3 to 4
• Additional commits viewable in compare view

Updates doctrine/orm from 3.5.8 to 3.6.7

Release notes

Sourced from doctrine/orm's releases.

3.6.7

This release contains the changes from https://github.com/doctrine/orm/releases/tag/2.20.13

3.6.6

Release Notes for 3.6.6

3.6.x bugfix release (patch)

3.6.6

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 1

Bugfixes

• 12477: Avoid adding the same foreign key twice for STI thanks to @​greg0ire
• 12476: Address string default expression deprecation thanks to @​greg0ire

CI

• 12475: Use correct matrix element name thanks to @​greg0ire

3.6.5

Release Notes for 3.6.5

3.6.x bugfix release (patch)

3.6.5

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bugfixes

• 12365: fix: allow findby strings thanks to @​vvaswani

3.6.4

Release Notes for 3.6.4

3.6.x bugfix release (patch)

3.6.4

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 3

Bugfixes

... (truncated)

Commits

• bc217c0 Merge pull request #12486 from greg0ire/3.6.x
• e75a435 Merge remote-tracking branch 'origin/2.20.x' into 3.6.x
• f525f32 Merge pull request #12482 from greg0ire/fix-el-formatting
• 4689337 Avoid passing arrays to get_class
• 471b129 Merge pull request #12477 from greg0ire/avoid-overwrite
• f2530f2 Merge pull request #12476 from greg0ire/def-expr-depr
• 18977e0 Avoid adding the same foreign key twice for STI
• 54b4f4b Address string default expression deprecation
• 8b64c10 Merge pull request #12475 from greg0ire/fix-job-labels
• fdea8dc Use correct matrix element name
• Additional commits viewable in compare view

Updates jms/translation-bundle from 2.6.0 to 2.7.0

Release notes

Sourced from jms/translation-bundle's releases.

2.7.0

What's Changed

• Fixed Symfony 7.4 incompatibility by @​Steveb-p in schmittjoh/JMSTranslationBundle#623

Full Changelog: schmittjoh/JMSTranslationBundle@2.6.0...2.7.0

Commits

• 826b292 Merge pull request #623 from Steveb-p/fix-symfony-7.4-validator-extractor
• 63e82c7 Enforce PHPStan version 11 to resolve conflict with simple-phpunit
• eea34b2 Updated CI runner
• 08a480b Use interface instead of implementation
• 74143f9 Fixed Symfony 7.4 incompatibility
• 7ae5197 Fixed Symfony 7.4 incompatibility
• See full diff in compare view

Updates nelmio/security-bundle from 3.6.0 to 3.9.0

Release notes

Sourced from nelmio/security-bundle's releases.

v3.9.0

What's Changed

• Added PHPUnit assertions for security headers and update testing documentation by @​Spomky in nelmio/NelmioSecurityBundle#389

Full Changelog: nelmio/NelmioSecurityBundle@v3.8.0...v3.9.0

v3.8.0

What's Changed

• Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP) by @​Spomky in nelmio/NelmioSecurityBundle#372

Full Changelog: nelmio/NelmioSecurityBundle@v3.7.0...v3.8.0

v3.7.0

What's Changed

• Added support for Symfony 8 nelmio/NelmioSecurityBundle#386
• Update development dependencies to latest versions nelmio/NelmioSecurityBundle#388
• Fixed many docs issues (#376 #375 #383 #382 #384)

Full Changelog: nelmio/NelmioSecurityBundle@v3.6.0...v3.7.0

Commits

• 86dd4d1 Merge pull request #389 from Spomky/feature/test-assertions
• 0dc7667 feat(tests): Add PHPUnit assertions for security headers and update testing d...
• 2fafee1 Merge pull request #372 from Spomky/features/cross-origin-policy
• 63da27e Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)
• 9389ec2 Merge pull request #388 from Spomky/deps-update
• a0eac15 chore(ci): Add Symfony 8.5 to the continuous integration matrix
• d702968 chore(deps): Update PHPStan and PHPUnit versions in composer.json
• a1f20ea Merge pull request #386 from damienalexandre/symfony8
• ee3d9f1 fix(ci): Bump Symfony 7 to 7.3 minimum
• f42af6e feat(upgrade): Bump allowed Symfony version to 8
• Additional commits viewable in compare view

Updates pagerfanta/pagerfanta from 4.7.2 to 4.8.0

Changelog

Sourced from pagerfanta/pagerfanta's changelog.

4.8.0 (2026-01-22)

• Add support for doctrine/collections 3.x

Commits

• 72881e6 Fix selectable adapter tests
• cc9f93e Fix tests
• f8e6483 Update GHA
• d25f34e Add support for doctrine/collections 3.x
• 1a18358 Rector
• 55352dc Update fixer config, tweak comments
• 71c616c Bump dev tools
• 3043e9d Add PHP 8.5 build, fix bypass config, allow Symfony 8 for dev
• 91249e4 Update 5.x requirement
• See full diff in compare view

Updates twig/extra-bundle from 3.22.2 to 3.24.0

Release notes

Sourced from twig/extra-bundle's releases.

v3.24.0

Changelog (twigphp/twig-extra-bundle@v3.23.0...v3.24.0)

• no significant changes

v3.23.0

No release notes provided.

Commits

• 6a621fc Fix CS
• 7a27e78 minor #4718 Add .gitignore & .gitattributes to all .gitattributes (jmsche)
• 8f6488a Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/intl-extra from 3.22.1 to 3.26.0

Release notes

Sourced from twig/intl-extra's releases.

v3.26.0

Changelog (twigphp/intl-extra@v3.23.0...v3.26.0)

• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)

v3.24.0

Changelog (twigphp/intl-extra@v3.23.0...v3.24.0)

• no significant changes

v3.23.0

No release notes provided.

Commits

• 98f5ad5 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• 32f15a3 Add null-safe operator
• d79645e Fix intl-extra tests
• c5da148 Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/twig from 3.26.0 to 3.27.1

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

• bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
• bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

• security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
• security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
• security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
• security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
• security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
• feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
• feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
• bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
• bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
• bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
• feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

• Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
• Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

Commits

• ae2071b Prepare the 3.27.1 release
• 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
• 8ec9530 Fix inconsistent array access with a Stringable key
• dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
• d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
• 118938b Fix tests
• 86f3b3a Bump version
• 04ae1bf Prepare the 3.27.0 release
• 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
• 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.