Skip to content

Bump smarty/smarty from 5.8.0 to 5.8.4#2010

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/smarty/smarty-5.8.4
Open

Bump smarty/smarty from 5.8.0 to 5.8.4#2010
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/smarty/smarty-5.8.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps smarty/smarty from 5.8.0 to 5.8.4.

Release notes

Sourced from smarty/smarty's releases.

v5.8.4

No release notes provided.

v5.8.3

What's Changed

Full Changelog: smarty-php/smarty@v5.8.2...v5.8.3

v5.8.2

What's Changed

  • Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
  • Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
  • Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
  • Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

New Contributors

Full Changelog: smarty-php/smarty@v5.8.1...v5.8.2

v5.8.1

What's Changed

Internal changes

New Contributors

Full Changelog: smarty-php/smarty@v5.8.0...v5.8.1

Changelog

Sourced from smarty/smarty's changelog.

[5.8.4] - 2026-06-29

  • Fixed a TypeError on PHP 8 when Security::$static_classes was set to a non-array value (e.g. the string 'none') to disable static class access; any non-array value now cleanly denies access. Use Security::$static_classes = null to disable access to all static classes.
  • Security: the built-in stream: resource type now validates the nested stream wrapper against the security policy, so a template such as stream:php://filter/... can no longer bypass Security::$streams (including Security::$streams = null) to read local files (CWE-22)

[5.8.3] - 2026-06-28

  • fixed a regression from #1189 where a child template's block override no longer applied to a template {include}d by the parent #1192

[5.8.2] - 2026-06-24

  • Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
  • Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
  • Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
  • Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

[5.8.1] - 2026-06-23

  • Re-activated unit tests for user literals, which were previously disabled due to a bug in refactoring to v5.
  • fixed a bug where child template's block content leaked into subsequent rendering of the parent template #1189
  • Moved all unit test-generated output from inside the working tree to tmp files #1178
Commits
  • 94a27cb Merge branch 'release/5.8.4'
  • badc5ef version bump
  • 2ae0f9a Fix TypeError for non-array static_classes in Security policy (#1198)
  • b668745 drop unused version attribute from docker-compose.yml
  • 3c9f77a Security: validate nested stream wrapper in stream: resource (CWE-22) (#1195)
  • 042dff6 Merge branch 'release/5.8.3'
  • 1830aa7 version bump
  • b83ffdd requirements for building docs, switched test-runner from mutagen to basic do...
  • ac27e1e fixed a regression from #1189 where a child template's block override no long...
  • 17fae11 update documentation for building and previewing with mkdocs, fix unit tests ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [smarty/smarty](https://github.com/smarty-php/smarty) from 5.8.0 to 5.8.4.
- [Release notes](https://github.com/smarty-php/smarty/releases)
- [Changelog](https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md)
- [Commits](smarty-php/smarty@v5.8.0...v5.8.4)

---
updated-dependencies:
- dependency-name: smarty/smarty
  dependency-version: 5.8.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies php Pull requests that update Php code labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies php Pull requests that update Php code

Development

Successfully merging this pull request may close these issues.

0 participants