[[ https://integration.wikimedia.org/ci/blue/organizations/jenkins/php-composer-security-docker/activity | php-composer-security-docker ]] keeps spamming the #security-team with [[ https://symfony.com/blog/twig-sandbox-information-disclosure | this (low) vulnerability ]] for three apps:
* **iegreview** (https://gerrit.wikimedia.org/r/p/wikimedia/iegreview)
* **wikimania-scholarships** (https://gerrit.wikimedia.org/r/p/wikimedia/wikimania-scholarships)
* **slimapp** (https://gerrit.wikimedia.org/r/p/wikimedia/slimapp)
We can split these into separate tasks, but since the solution requires version-bumping twig in `composer.json`, I thought we could possibly take care of these in one fell swoop. Additionally, this vulnerability specifically affects apps running twig in sandbox mode, which I don't believe any of these apps do. Though we still get automated alerts for them :/
The issue was fixed in [[ https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077#diff-d3bb3391c79904494c60ee2ac2f33070 | twig 1.38 ]] and testing locally, [[ https://github.com/sensiolabs/security-checker | php security checker ]] doesn't complain with `"twig/twig": "~1.38"`. I would've pushed some patch sets up to gerrit for each of these, but couldn't get the unit tests to run locally, so I held off.