old twig-version: v2.12.5; eol in 2023; Security issue? How to update?

Question

old twig-version: v2.12.5; eol in 2023; Security issue? How to update?

new-on-github opened this issue a year ago · 6 comments

new-on-github commented a year ago

The latest pico release 3.0.0 seems to use a old twig version. Twig 2.* is eol in December 2023.

Is this a security issue? Seems to be.

Is it possible to update the twig version? How to do this without a composer (I use only a webspace).

Thanks a lot.

Answer 1 · 2023-11-26T12:00:21.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two days if no further activity occurs. Thank you for your contributions! 👍

Answer 2 · 2023-11-26T13:01:35.000Z

You might wanna switch to the dev-pico-3.0 branch, it uses Twig 3.0, but keep the breaking changes in mind. You'll need Composer for that (not on the web server though, you can install it locally and then simply upload the files; release archives aren't any different). It's no security issue though, Twig templates aren't modifiable online in Pico.

Answer 3 · 2023-11-27T16:20:30.000Z

You might wanna switch to the dev-pico-3.0 branch, it uses Twig 3.0, but keep the breaking changes in mind. You'll need Composer for that (not on the web server though, you can install it locally and then simply upload the files; release archives aren't any different). It's no security issue though, Twig templates aren't modifiable online in Pico.
Thanks a lot for your reply!

How can I switch to the dev-pico-3.0 branch? There is no release and a also cannot find a repository with this name. Maybe I am to stupid...

It's no security issue though, Twig templates aren't modifiable online in Pico.
Ok, this is the very important information. The website works and therefore I can stay on the old twig version. Thank you.

Btw: Thanks a lot for pico cms, it's really cool.

Answer 4 · 2023-11-27T17:28:59.000Z

How can I switch to the dev-pico-3.0 branch?

You'll need Composer. Try the following commands locally, then just upload everything to your webserver:

$ curl -sSL https://getcomposer.org/installer | php
$ php composer.phar create-project picocms/pico-composer pico
$ php composer.phar require --working-dir pico/ --update-with-all-dependencies "picocms/Pico dev-pico-3.0" "picocms/pico-deprecated dev-pico-3.0" "picocms/pico-theme dev-pico-3.0" "picocms/composer-installer dev-pico-3.0"

Answer 5 · 2023-11-27T17:42:41.000Z

How can I switch to the dev-pico-3.0 branch?

You'll need Composer. Try the following commands locally, then just upload everything to your webserver:
$ curl -sSL https://getcomposer.org/installer | php
$ php composer.phar create-project picocms/pico-composer pico
$ php composer.phar require --working-dir pico/ --update-with-all-dependencies "picocms/Pico dev-pico-3.0" "picocms/pico-deprecated dev-pico-3.0" "picocms/pico-theme dev-pico-3.0" "picocms/composer-installer dev-pico-3.0"

Thanks a lot. But you told me that there are maybe changes in the new twig version, which will break my pico website.
I have to test it therefore before.

Answer 6 · 2023-12-05T12:00:21.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two days if no further activity occurs. Thank you for your contributions! 👍