Skip to content

Composer(deps): Bump smarty/smarty from 5.8.0 to 5.8.4 in /web#48

Open
dependabot[bot] wants to merge 1 commit into
php81from
dependabot/composer/web/smarty/smarty-5.8.4
Open

Composer(deps): Bump smarty/smarty from 5.8.0 to 5.8.4 in /web#48
dependabot[bot] wants to merge 1 commit into
php81from
dependabot/composer/web/smarty/smarty-5.8.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown

Bumps smarty/smarty from 5.8.0 to 5.8.4.

Release notes

Sourced from smarty/smarty's releases.

v5.8.4

No release notes provided.

v5.8.3

What's Changed

Full Changelog: smarty-php/smarty@v5.8.2...v5.8.3

v5.8.2

What's Changed

  • Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
  • Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
  • Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
  • Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

New Contributors

Full Changelog: smarty-php/smarty@v5.8.1...v5.8.2

v5.8.1

What's Changed

Internal changes

New Contributors

Full Changelog: smarty-php/smarty@v5.8.0...v5.8.1

Changelog

Sourced from smarty/smarty's changelog.

[5.8.4] - 2026-06-29

  • Fixed a TypeError on PHP 8 when Security::$static_classes was set to a non-array value (e.g. the string 'none') to disable static class access; any non-array value now cleanly denies access. Use Security::$static_classes = null to disable access to all static classes.
  • Security: the built-in stream: resource type now validates the nested stream wrapper against the security policy, so a template such as stream:php://filter/... can no longer bypass Security::$streams (including Security::$streams = null) to read local files (CWE-22)

[5.8.3] - 2026-06-28

  • fixed a regression from #1189 where a child template's block override no longer applied to a template {include}d by the parent #1192

[5.8.2] - 2026-06-24

  • Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
  • Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
  • Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
  • Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

[5.8.1] - 2026-06-23

  • Re-activated unit tests for user literals, which were previously disabled due to a bug in refactoring to v5.
  • fixed a bug where child template's block content leaked into subsequent rendering of the parent template #1189
  • Moved all unit test-generated output from inside the working tree to tmp files #1178
Commits
  • 94a27cb Merge branch 'release/5.8.4'
  • badc5ef version bump
  • 2ae0f9a Fix TypeError for non-array static_classes in Security policy (#1198)
  • b668745 drop unused version attribute from docker-compose.yml
  • 3c9f77a Security: validate nested stream wrapper in stream: resource (CWE-22) (#1195)
  • 042dff6 Merge branch 'release/5.8.3'
  • 1830aa7 version bump
  • b83ffdd requirements for building docs, switched test-runner from mutagen to basic do...
  • ac27e1e fixed a regression from #1189 where a child template's block override no long...
  • 17fae11 update documentation for building and previewing with mkdocs, fix unit tests ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [smarty/smarty](https://github.com/smarty-php/smarty) from 5.8.0 to 5.8.4.
- [Release notes](https://github.com/smarty-php/smarty/releases)
- [Changelog](https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md)
- [Commits](smarty-php/smarty@v5.8.0...v5.8.4)

---
updated-dependencies:
- dependency-name: smarty/smarty
  dependency-version: 5.8.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Author

Assignees

The following users could not be added as assignees: Hackmastr, rumblefrog. Either they do not exist or they do not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant