v2.1.0

2.1.0 (2024-04-10)

Security fix

• Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances (13c6b0f).

Details
The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.

Important

This vulnerability only exists for websites running on PHP 7.4.

Features

• Add new timber/cache/transient_key filter to cache methods for transient key used for caching (#2878) (b347677)
• Add new timber/image_helper/sideload_image/basename filter for sideloaded images basename (e4ff72f)
• Add new timber/output/pre-cach filter to $output before it is cached (#2910) (d1356fd)
• Add User::is_current() and User::profile_link() methods (#2924) (b048da8)
• Add WordPress escaping functions via Twig filters (#2933) (a88aa00)
• Allow pagination object to be generated using $prefs only (99219a9) and (2834fd4)
• Bump php-stubs/acf-pro-stubs to ^6.0 (ac17052)
• Update ECS config and apply standards (#2893) (71111e1)

Bug Fixes

• Add classes in MenuItem (#2905) (7e00eeb)
• Allow overwrite of default avatar in comments. (#2786) (9c6e0e3), closes #2468
• Fix minor coding style issue in loader.php to make ECS happy (#2950) (6e8b6ab)
• Ignore acf_get_field_type void errors (441ef9e)
• Make PostIterator::last_post() nullable (#2918) (064dde7)
• Prevent unneeded blog switching in multisite env (#2781) (d81f995)
• Fix unnecessary lowercasing parameters in Timber\URLHelper (#2877) (664ea62)
• Fix some file permissions in docs (#2842) (337d54d)
• Tests: Split test running for integrations (plugins) (#2904) (8d03809)
• Tests: Fix tests failing since Twig 3.8.0 (#2895) (f4a233e)
• Tests: Fix missing constants in static analysis test (ae50ccd)
• Tests: Use new filter in tests (c12e9af)
• Tests: Fix phpstan tests by (#2886)
• Docs: Simplify an if-check in the ACF docs (96d2874)

Miscellaneous Chores

• Add script descriptions in Composer file (#2951) (5785128)
• Add Timber authors (567475e)
• Create SECURITY.md (#2939) (be36065)
• Remove Lando config (#2899) (6fa8ffc)
• Update links in CONTRIBUTING.md (3b2c855)
• deps: bump lycheeverse/lychee-action from 1.8.0 to 1.9.1 (1ca79af)
• deps: bump lycheeverse/lychee-action from 1.9.1 to 1.9.3 (#2907) (eecfb03)
• deps: bump peter-evans/create-issue-from-file from 4 to 5 (#2906) (64703f8)
• deps: bump ramsey/composer-install from 2 to 3 (#2941) (97010c4)
• deps: bump tj-actions/changed-files from 39 to 42 (964f11a)

New Contributors

• @expedition-robin-martijn made their first contribution in #2877
• @rubas made their first contribution in #2918
• @jl-a made their first contribution in #2910
• @phasdev made their first contribution in #2863
• @ecupaio made their first contribution in #2945
• @jasalt made their first contribution in #2962
• @Sonicrrrr reported a security vulnerability. Thanks!
• @dependabot made their first contribution in #2885
• @github-actions made their first contribution in #2913

Full Changelog: 2.0.0...v2.1.0

1.24.1

Security fix

• Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances.

Details
The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.

Important

This vulnerability only exists for websites running on PHP 7.4 or lower.

What’s changed

• Allow the Timber\PostPreview::read_more to accept a boolean value by @gerardo-rodriguez in #2578
• Fix tests failing with WordPress 6.4 by @gchtr in #2964
• Remove functionality that disabled updates via the dashboard for major and minor releases by @Levdbas in #2963

Contributors

• @Sonicrrrr reported the security vulnerability. Thanks!
• @gerardo-rodriguez made their first contribution in #2578

Full Changelog: 1.24.0...1.24.1

1.23.1

Security fix

• Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances.

Details
The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.

Important

This vulnerability only exists for websites running on PHP 7.4 or lower.

What’s changed

• Fix tests failing with WordPress 6.4 by @gchtr in #2964
• Remove functionality that disabled updates via the dashboard for major and minor releases by @Levdbas in #2963

Contributors

• @Sonicrrrr reported the security vulnerability. Thanks!

Full Changelog: 1.23.0...1.23.1

1.24.0

Warning

Important information about Timber v1
With the release of Timber 2.0, we will not work on Timber v1 anymore. Please upgrade to Timber v2 as soon as you can.

In Timber v2, Composer is the only supported installation method. We are unable to continue releasing or supporting Timber as a plugin on WordPress.org. We advise everyone to switch to the Composer based install of Timber 1 as a first step.

For more information and a list of additional resources, please visit this #2804.

Bugfixes

• Fixed dynamic properties warnings in PHP 8.2 by @trsteel88 in #2860
• Fixed a type error when a WebP image can’t be generated by @marleylinku in #2865

New Contributors

• @trsteel88 made their first contribution in #2860
• @marleylinku made their first contribution in #2865

Full Changelog: 1.23.0...1.24.0

2.0.0

Timber 2.0 is a big update. There are a lot of breaking changes. You need to thoroughly test your websites in your local development environment before update your live websites.

You can install Timber 2.0 by following the Installation Guide. When installing Timber through Composer, you need to require the 2.0.0 version:

composer require timber/timber:^2.0

Documentation

• 📚 Documentation for Timber 2.0
• 🆙 Upgrade Guide for Timber 2.0

In case you find errors, please open an issue. In case you’re stuck or have questions, create a discussion.

What’s new in Timber 2.0

For information on what’s new in Timber 2.0, follow the Upgrade Guide.

Dropping plugin support

Timber 2.0 is not available as a WordPress plugin anymore, but will only be available as a Composer package. If you’re still using the plugin version of Timber 1.0, you might want to switch to the Composer version first. You can find more information about this in the following links:

• Announcement: Dropping support for the plugin version of Timber
• Guide: How do I switch over from the plugin version to the Composer based version of Timber?

The overall goals of Timber 2.0 include:

• Making Timber’s functions and methods more consistent.
• Making Timber easier to handle and extend.
• Refactoring how Timber Core works under the hood to improve compatibility with WordPress Core and be ready for future challenges.
• Making Timber more compatible with other plugins.

High-level changes include:

• Compatibility with the newest version of PHP.
• A newer, streamlined API for accessing Posts, Terms, Users, Comments and Menus.
• An upgraded Context.
• A new Attachment class for WordPress attachments that are not images.
• A big update for how fetching meta values works.
• Better integration with the WordPress Date and Time functionality.
• Better options to control and extend Twig.
• Class Maps for a more loosely coupled way to extend Timber with your own Post, Term, User, Menu, MenuItem, and Comment objects.
• No more direct instantiation of the classes mentioned above. Use Class Maps instead.
• New PostCollectionInterface for a unified way to deal with various lists of posts.
• An updated WP-CLI integration.
• A new way to add your own Integrations for Timber.

What’s changed since 2.0.0-rc.1

Here’s what’s changed since the last 2.0.0-rc.1 release. (Full Changelog: 2.0.0-rc.1...2.0.0)

Changes

• 2.x Revert final constructors by @gchtr in #2827
• Renamed the master branch to 1.x and made 2.x the default branch.

Bugfixes

• Site overwrite magic __call method by @Levdbas in #2798
• Consider fields value when returning terms from query by @jrathert in #2806
• Initialize typed properties correctly in ExternalImage::build() by @jrathert in #2818 and @nlemoine in #2825

Documentation

• Add documentation and plugin notice about the end of the plugin version by @Levdbas in #2800
• Add note about installing the release candidate by @gchtr in #2796
• Add drop support notice to issue template by @nlemoine in #2810
• Add note about PostsIterator and removal of timber/class/posts_iterator filter by @gchtr in #2835
• Update v2 caching docs by @Levdbas in #2797
• Fix Attachment size doc block by @nlemoine in #2824
• Explained theme path, link and URI helpers in Cheatsheet by @Levdbas in #2787
• Updated plugin support part by @Levdbas in #2805
• Changing functions section references $filters instead of $functions by @niclm in #2799

Become a sponsor

Do you love using Timber for your projects? Consider supporting us by becoming a sponsor. Your sponsorship helps us maintain & improve Timber for everyone! 💚🌲 Join the Timber family today.

Deprecating Plugin Version

This release coincides with the final version to the WordPress.org site. To streamline future support and upgrades, the Timber Team is focused on Composer as the formal release channel.

With the upcoming release of Timber 2.0, we will not release a 2.0 version and beyond as a plugin, but only as a Composer package. We advise everyone to switch to the Composer based install as soon as possible.

Switching to the Composer based version

• Announcement: Dropping support for the plugin version of Timber
• Guide: How do I switch over from the plugin version to the Composer based version of Timber?
• Backstory: Why we are dropping support for the plugin in the first place
• GitHub issue: Roadmap for Timber 2.0

What's Changed

• Improve GitHub pull request template by @gchtr in #2641
• Update bug report template and CODEOWNERS by @gchtr in #2711
• Add Erik to Contributors List by @jarednova in #2735
• Fix PHPDoc typo by @LogicEveryWhere in #2709
• Add sponsorship information to Readme by @gchtr in #2777
• doc: Add drop support notice to issue template by @nlemoine in #2810
• Add documentation and plugin notice about the end of the plugin version by @Levdbas in #2800
• Workflow: fix path to guide by @Levdbas in #2823

New Contributors

• @LogicEveryWhere made their first contribution in #2709

Full Changelog: 1.22.1...1.23.0

2.0.0 – Release Candidate 1

This is the first Release Candidate of the new Timber 2.0 version. Please test this version thoroughly. In case you find errors, please open an issue. In case you have questions, create a discussion.

If you want to stay updated on the next steps, subscribe to Roadmap for Timber 2.0.

You can try out the next Timber version by following the Installation Guide. When installing Timber through Composer, you need to require the 2.0.0-rc.1 version:

composer require timber/timber:2.0.0-rc.1

What’s changed

Here’s what’s changed since the last 2.0.0-beta.2 release. For information on what's new in version 2.0, please see the Upgrade Guide

Changes

• Make object constructors final by @gchtr in #2660
• Refactor file models by @nlemoine in #2753

Removals

• Remove audio & video methods from Post by @nlemoine in #2750
• Remove unused private property by @nlemoine in #2751
• Remove unused param from Timber\Term::build() by @gchtr in #2754

Bug fixes

• Fix PostFactory::is_image incorrectly using wp_check_filetype by @stayallive in #2730
• Fix custom field test by @nlemoine in #2749
• Fix PHPStan issues on level 2 by @gchtr in #2668
• Fix a bug when the_post hook runs twice on each post in a loop by @gchtr in #2756
• Fix a bug when |time_ago didn’t consider timezones correctly by @gchtr in #2758
• Fix URLHelper methods is_local and is_external by @mcaskill in #2767
  • Optimize URLHelper methods is_local and is_external by @gchtr in #2782
• Fix implicit conversion from float to int by @gchtr in #2775
• Add check to image create functions by @Levdbas in #2780

Documentation

• Add @api tag to Helper by @Levdbas in #2746
• Fix PHPDoc typo by @LogicEveryWhere in #2709
• Update property and method docblocks in Theme.php. by @Levdbas in #2744
• Fix some small issues in Getting Started docs by @gchtr in #2761
• Cleanup todo in code by @gchtr in #2757
• Link checker report fixes by @Levdbas in #2747

Testing and tools

• Fix MariaDB in automatic tests by @gchtr in #2776
• Fix some Coding Standard issues by @gchtr in #2779
• Fix skipped tests by @gchtr in #2760
• Coding Standards: improve imports by @nlemoine in #2700
• Fix: phpstan issues & use fully qualified imports by @nlemoine in #2783

New Contributors

• @stayallive made their first contribution in #2730
• @LogicEveryWhere made their first contribution in #2709

Full Changelog: 2.0.0-beta.2...2.0.0-rc.1

Become a sponsor

Do you love using Timber for your projects? Consider supporting us by becoming a sponsor. Your sponsorship helps us maintain & improve Timber for everyone! 💚🌲 Join the Timber family today.

2.0.0 - Beta 2

This is the second beta of the new Timber 2.0 version. A release candidate should follow before summer. If you want to stay updated on the next steps, then subscribe to the Roadmap for Timber 2.0 issue.

You can try out the next Timber version by following the Installation Guide. When installing Timber through Composer, you need to require the 2.0.0-beta.2 version:

composer require timber/timber:2.0.0-beta.2

In case you find errors, please open an issue. In case you have questions, create a discussion.

What’s changed

Here’s what’s changed since the last 2.0.0-beta.1 release.

Merged in from 1.x

• Upgrade Twig to support PHP 8.0/8.1 by @gchtr in #2640
• Add PHP 8.0/8.1 to Timber 1.x matrix by @nlemoine in #2638
• Ensure Twig 3.x is not installed by @rmens in #2679

New features

• External image (Fixes #2627) by @xavivars in #2639
  • Add tests and documentation for external images by @gchtr in #2695

Bugfixes and cleanup

• User can args by @kshaner in #2632
  • Updates to #2632 by @gchtr in #2647
• Fix post get all meta when one value is null by @gustavo-roganti in #2643
  • Fixes for #2643 by @gchtr in #2644
• Fix bug with nextpage block by @gchtr in #2673
• Fix AcfIntegration by @nlemoine in #2692
• Fix User entity by @nlemoine in #2690
• Fix get_term_link() compatibility in Timber\Term by @mcaskill in #2701
• Fix can_edit() permission checks for Term, User, Comment and Menu classes by @gchtr in #2676
• Fix bug when Timber\Theme encoding breaks Timber caching by @gchtr in #2675
• Fix post preview by @nlemoine in #2712
• Fix Menu theme locations array to enforce string or integers by @mcaskill in #2707
• Fix exported files by @szepeviktor in #2650
• Fix some coding standard issues by @gchtr in #2648
• Fix PHPStan issues on level 0 by @gchtr in #2659
• Fix PHPStan issues on level 1 by @gchtr in #2667
• Fix menu item compatibility with WPML by @mcaskill in #2705
• Fix iterable case by @nlemoine in #2715
• Clean init by @nlemoine in #2714
• Add AllowDynamicProperties attribute by @mcaskill in #2698
• Make Timber\Request not implement Timber\CoreInterface by @gchtr in #2631
• Improve scheme detection and take advantage of WP native functions by @nlemoine in #2720
• Update .gitignore by @gchtr in #2649
• Update Timber\Post::get_info() to work with a post data array only by @gchtr in #2674

Removals

• Remove Timber\Request class by @gchtr in #2683
• Remove unused Term::get_term_from_query() function by @gchtr in #2664
• Remove unneeded Timber\Image::is_image() method by @gchtr in #2669
• Remove string helpers by @nlemoine in #2719

Testing and tools

• Add tests for PHP 8.2 by @nlemoine in #2691
• Run tests with lowest dependencies by @nlemoine in #2665
• Update PHPStan setup by @gchtr in #2630
• Fix side effects with tests involving themes by @gchtr in #2703
• Use assertSame instead of assertEquals for certain values by @gchtr in #2670
• Remove deprecation warning from tests by @nlemoine in #2663

Documentation

• Fix hint about Co-Authors Plus in Upgrade Guide by @gchtr in #2684
• Fix 404 link to setup guide by @NReilingh in #2732
• Update descriptions for compile and render methods by @gchtr in #2677
• Make comment neutral by @Levdbas in #2713
• Update broken links in documentation by @Levdbas in #2743

New Contributors

• @kshaner made their first contribution in #2632
• @gustavo-roganti made their first contribution in #2643
• @rmens made their first contribution in #2679
• @mcaskill made their first contribution in #2701
• @NReilingh made their first contribution in #2732

Full Changelog: 2.0.0-beta.1...2.0.0-beta.2

Become a sponsor

Do you love using Timber for your projects? Consider supporting us by becoming a sponsor. Your sponsorship helps us maintain & improve Timber for everyone! 💚🌲 Join the Timber family today.

Fix Twig version when installing Timber with Composer

What's Changed

• Fixed a bug when Twig version 3 was accidentally installed when installing Timber through Composer, by @rmens in #2679.

Full Changelog: 1.22.0...1.22.1

Fix issues with WP.org deployments

This resolves issues with a prior deploy of 1.21.0 to WP.org by correctly targeting the versions of Twig and PHP.

What's Changed

• Fix bugs with latest plugin release 1.21.0 by @gchtr in #2658

Full Changelog: 1.21.0...1.22.0