Bump the composer group across 1 directory with 3 updates

[dependabot]

Bumps the composer group with 3 updates in the / directory: symfony/yaml, symfony/mime and symfony/twig-bridge.

Updates symfony/yaml from 6.4.26 to 6.4.40

Release notes

Sourced from symfony/yaml's releases.

v6.4.40

Changelog (symfony/yaml@v6.4.39...v6.4.40)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v6.4.39

Changelog (symfony/yaml@v6.4.38...v6.4.39)

• bug #64196 Reject non-stringables when using "!!binary" (@​nicolas-grekas)

v6.4.38

Changelog (symfony/yaml@v6.4.34...v6.4.38)

• bug #64119 fix flow collection drops &anchor and !!str &anchor items (@​ousamabenyounes)

v6.4.34

Changelog (symfony/yaml@v6.4.33...v6.4.34)

• bug #57292 Fix parsing nested mappings in sequences (@​HypeMC)

v6.4.30

Changelog (symfony/yaml@v6.4.29...v6.4.30)

• bug symfony/symfony#62612 [Yaml] Fix regression handling blank lines in unquoted scalars (@​yoeunes)
• bug symfony/symfony#62409 [Yaml] Align unquoted multiline scalar parsing with spec for comments (@​yoeunes)
• bug symfony/symfony#62359 [Yaml] Fix parsing of unquoted multiline scalars with comments or blank lines (@​yoeunes)

Commits

• 68dcd1f Merge branch '5.4' into 6.4
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• e4fb993 [Yaml] Reject non-stringables when using "!!binary"
• b02ba66 [Yaml] Bound recursion depth in the parser
• f8d2f4a [Yaml] fix flow collection drops &anchor and !!str &anchor items
• 323ed2d CS fixes - native_function_invocation & static_lambda
• f33e2fb Backport some CS fixes from 7.4
• fe7a693 [CS] Back config from 8.1 and apply heredoc_indentation rule
• 7bca30d [Yaml] Fix parsing nested mappings in sequences
• Additional commits viewable in compare view

Updates symfony/mime from 7.3.4 to 7.4.13

Release notes

Sourced from symfony/mime's releases.

v7.4.13

Changelog (symfony/mime@v7.4.12...v7.4.13)

• bug #64345 Reject objects in typed-string properties during __unserialize (@​nicolas-grekas)
• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

v7.4.12

Changelog (symfony/mime@v7.4.9...v7.4.12)

• security #cve-2026-45067 Reject email addresses containing line breaks in Address (@​alexandre-daubois)

v7.4.9

Changelog (symfony/mime@v7.4.8...v7.4.9)

• bug #64047 Preserve inline part filename instead of overwriting it with the Content-ID (@​ousamabenyounes)
• bug #64044 Apply tagged MIME type guessers in File::getMimeType() (@​ousamabenyounes)

v7.4.8

Changelog (symfony/mime@v7.4.7...v7.4.8)

• bug #63683 Fix image method to use DataPart content ID (@​pavelwitassek)

v7.4.7

Changelog (symfony/mime@v7.4.6...v7.4.7)

• bug #63584 Use shell_exec() instead of passthru() in FileBinaryMimeTypeGuesser (@​nicolas-grekas)

v7.4.6

Changelog (symfony/mime@v7.4.5...v7.4.6)

• bug #63235 phpdocumentor/reflection-docblock 6 compatibility (@​mtarld)

v7.4.5

Changelog (symfony/mime@v7.4.4...v7.4.5)

• bug #63206 Conflict with phpdocumentor/reflection-docblock >= 6 (all branches) (@​nicolas-grekas)

v7.4.4

Changelog (symfony/mime@v7.4.3...v7.4.4)

• no significant changes

v7.4.0

Changelog (symfony/mime@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC2

Changelog (symfony/mime@v7.4.0-RC1...v7.4.0-RC2)

... (truncated)

Changelog

Sourced from symfony/mime's changelog.

CHANGELOG

8.0

• Replace __sleep/wakeup() by __(un)serialize() on AbstractPart implementations

7.4

• Deprecate implementing __sleep/wakeup() on AbstractPart implementations; use __(un)serialize() instead

7.0

• Remove Email::attachPart(), use Email::addPart() instead
• Argument $body is now required (at least null) in Message::setBody()
• Require explicit argument when calling Message::setBody()

6.3

• Support detection of related parts if Content-Id is used instead of the name
• Add TextPart::getDisposition()

6.2

• Add File
• Deprecate Email::attachPart(), use addPart() instead
• Deprecate calling Message::setBody() without arguments

6.1

• Add DataPart::getFilename() and DataPart::getContentType()

6.0

• Remove Address::fromString(), use Address::create() instead
• Remove Serializable interface from RawMessage

5.2.0

• Add support for DKIM
• Deprecated Address::fromString(), use Address::create() instead

... (truncated)

Commits

• a845722 Fix tests and merge resolution after merging 6.4 into 7.4
• 25b5570 Merge branch '6.4' into 7.4
• 7186d94 [String][Mime] Reject objects in typed-string properties during __unserialize
• 5575d37 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• b198dd6 Merge branch '6.4' into 7.4
• 7ccfb0c Merge branch '5.4' into 6.4
• 8f89d3a [Mime] Reject email addresses containing line breaks in Address
• 25d9bc3 Merge branch '6.4' into 7.4
• f2f05cb [Mime] Fix transient test
• 2d550c4 Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/twig-bridge from 6.4.25 to 6.4.40

Release notes

Sourced from symfony/twig-bridge's releases.

v6.4.40

Changelog (symfony/twig-bridge@v6.4.36...v6.4.40)

• security #cve-2026-45072 Fix XSS issue in CodeExtension::fileExcerpt() (@​nicolas-grekas)

v6.4.36

Changelog (symfony/twig-bridge@v6.4.35...v6.4.36)

• bug #63683 Fix image method to use DataPart content ID (@​pavelwitassek)

v6.4.35

Changelog (symfony/twig-bridge@v6.4.34...v6.4.35)

• bug #63568 Fix Bootstrap 4 horizontal layout broken by form errors moved outside label (@​nicolas-grekas)

v6.4.34

Changelog (symfony/twig-bridge@v6.4.33...v6.4.34)

• bug #63472 Fix Bootstrap 4 form errors rendered inside <label> (@​asispts)

v6.4.32

Changelog (symfony/twig-bridge@v6.4.31...v6.4.32)

• bug #62884 Prevent cached block prefixes from leaking across nested collections (@​nicolas-grekas)

v6.4.31

Changelog (symfony/twig-bridge@v6.4.30...v6.4.31)

• bug symfony/symfony#62744 [TwigBridge] do not use PHPUnit mock objects without configured expectations (@​xabbuh)

v6.4.30

Changelog (symfony/twig-bridge@v6.4.29...v6.4.30)

• bug symfony/symfony#62621 [Form] Fix moneytype step (@​Belhassen)

Commits

• 5a68963 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt()
• 2130327 [FrameworkBundle][TwigBridge] Bump symfony/mime requirement
• e06912a More CS fixes
• 44bcf2a CS fixes - native_function_invocation & static_lambda
• 7a01a58 Backport some CS fixes from 7.4
• bd33dfc [CS] Back config from 8.1 and apply heredoc_indentation rule
• 3ae963a [TwigBridge][Mime] Add missing tests
• f1137ea [TwigBridge] Refactor image method to use DataPart content ID
• 352acf6 [TwigBridge] Fix Bootstrap 4 horizontal layout broken by form errors moved ou...
• 5169074 [TwigBridge] Fix Bootstrap 4 form error layout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.