Bump timber/timber from 1.12.1 to 2.1.0

[dependabot]

Bumps timber/timber from 1.12.1 to 2.1.0.

Release notes

Sourced from timber/timber's releases.

v2.1.0

2.1.0 (2024-04-10)

Security fix

• Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances (13c6b0f).

Details The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.

[!IMPORTANT] This vulnerability only exists for websites running on PHP 7.4.

Features

• Add new timber/cache/transient_key filter to cache methods for transient key used for caching (#2878) (b347677)
• Add new timber/image_helper/sideload_image/basename filter for sideloaded images basename (e4ff72f)
• Add new timber/output/pre-cach filter to $output before it is cached (#2910) (d1356fd)
• Add User::is_current() and User::profile_link() methods (#2924) (b048da8)
• Add WordPress escaping functions via Twig filters (#2933) (a88aa00)
• Allow pagination object to be generated using $prefs only (99219a9) and (2834fd4)
• Bump php-stubs/acf-pro-stubs to ^6.0 (ac17052)
• Update ECS config and apply standards (#2893) (71111e1)

Bug Fixes

• Add classes in MenuItem (#2905) (7e00eeb)
• Allow overwrite of default avatar in comments. (#2786) (9c6e0e3), closes #2468
• Fix minor coding style issue in loader.php to make ECS happy (#2950) (6e8b6ab)
• Ignore acf_get_field_type void errors (441ef9e)
• Make PostIterator::last_post() nullable (#2918) (064dde7)
• Prevent unneeded blog switching in multisite env (#2781) (d81f995)
• Fix unnecessary lowercasing parameters in Timber\URLHelper (#2877) (664ea62)
• Fix some file permissions in docs (#2842) (337d54d)
• Tests: Split test running for integrations (plugins) (#2904) (8d03809)
• Tests: Fix tests failing since Twig 3.8.0 (#2895) (f4a233e)
• Tests: Fix missing constants in static analysis test (ae50ccd)
• Tests: Use new filter in tests (c12e9af)
• Tests: Fix phpstan tests by (#2886)
• Docs: Simplify an if-check in the ACF docs (96d2874)

Miscellaneous Chores

• Add script descriptions in Composer file (#2951) (5785128)
• Add Timber authors (567475e)
• Create SECURITY.md (#2939) (be36065)
• Remove Lando config (#2899) (6fa8ffc)
• Update links in CONTRIBUTING.md (3b2c855)

... (truncated)

Changelog

Sourced from timber/timber's changelog.

2.1.0 (2024-04-10)

Features

• add filter to cache methods (#2878) (b347677)
• add filter for sideloaded images basename (e4ff72f)
• add filter to $output before it is cached (#2910) (d1356fd)
• add is_current and profile_link methods (#2924) (b048da8)
• Add WP escapers via Twig filters (#2933) (a88aa00)
• Allow pagination object to be generated using $prefs only (99219a9)
• allow pagination object to be generated using $prefs only (2834fd4)
• bump php-stubs/acf-pro-stubs to ^6.0 (ac17052)
• update ECS config and apply standards (#2893) (71111e1)

Bug Fixes

• Add patch for PHAR deserialization vulnerability for Timber 2.x (security advisory GHSA-6363-v5m4-fvq3) (13c6b0f)
• adding classes in MenuItem (#2905) (7e00eeb)
• Allow overwrite of default avatar in comments. (#2786) (9c6e0e3), closes #2468
• docs: Simplify an if-check in the ACF docs (96d2874)
• file permissions (#2842) (337d54d)
• fix minor codestyle issue in loader.php to make easy-coding-standard happy (#2950) (6e8b6ab)
• ignore acf_get_field_type void errors (441ef9e)
• make PostIterator->last_post nullable (#2918) (064dde7)
• Prevent unneeded blog switching in multisite env. (#2781) (d81f995)
• split test running for integrations (plugins) (#2904) (8d03809)
• tests failing since Twig 3.8.0 (#2895) (f4a233e)
• tests: fix missing constants in static analysis test (ae50ccd)
• test: use new filter in tests (c12e9af)
• undefined property (9e8409e)
• unnecessary lowercasing parameters (#2877) (664ea62)

Reverts

• revert changing property name (a7b019b)

Miscellaneous Chores

• Add script descriptions in composer file (#2951) (5785128)
• add Timber authors (567475e)
• Create SECURITY.md (#2939) (be36065)
• deps: bump lycheeverse/lychee-action from 1.8.0 to 1.9.1 (1ca79af)
• deps: bump lycheeverse/lychee-action from 1.9.1 to 1.9.3 (#2907) (eecfb03)
• deps: bump peter-evans/create-issue-from-file from 4 to 5 (#2906) (64703f8)
• deps: bump ramsey/composer-install from 2 to 3 (#2941) (97010c4)
• deps: bump tj-actions/changed-files from 39 to 42 (964f11a)

... (truncated)

Commits

• d353d19 chore(2.x): release 2.1.0 (#2913)
• 13c6b0f fix: Add patch for PHAR deserialization vulnerability for Timber 2.x (securit...
• 152e173 docs: Update deprecated Timber::get_context() in code examples (#2962)
• a84ff97 Merge pull request #2957 from timber/2.x-release-please-draft
• 486ef3e updated guternberg docs to reflect ACF Block >v6 (#2945)
• 238587e ci: Use draft release for release please
• 5785128 chore: Add script descriptions in composer file (#2951)
• 6e8b6ab fix: fix minor codestyle issue in loader.php to make easy-coding-standard hap...
• 15fdc38 test: update external image test to use other placeholder service
• 8a98146 cli: update ramsey/composer-install to v3 (#2948)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.