php-composer-security-docker keeps spamming the Security-Team with this (low) vulnerability for three apps:
- iegreview (https://gerrit.wikimedia.org/r/admin/repos/wikimedia/iegreview) (patch)
- slimapp (https://gerrit.wikimedia.org/r/admin/repos/wikimedia/slimapp) (patch)
We can split these into separate tasks, but since the solution requires version-bumping twig in composer.json, I thought we could possibly take care of these in one fell swoop. Additionally, this vulnerability specifically affects apps running twig in sandbox mode, which I don't believe any of these apps do. Though we still get automated alerts for them :/
The issue was fixed in twig 1.38 and testing locally, php security checker doesn't complain with "twig/twig": "~1.38". I would've pushed some patch sets up to gerrit for each of these, but couldn't get the unit tests to run locally, so I held off.