Looks like PHPUnit only uses eval() for mock objects, and Twig only uses it as a last line of defense for building templates. Still breakages, but not of the entire packages (at least those packages) from what I can see.
That said, I agree that eval() should stay enabled by default, as too much breaks if we did the opposite. That way, folks can opt into a hardened environment (at least in this respect) once they've determined that doing so won't break their software. On Tue, Nov 26, 2019 at 10:01 AM Ken Stanley <doh...@gmail.com> wrote: > > So long as the default behavior is to leave it available, I'm okay with > this. Any app > that relies on twig/twig, phpunit/phpunit, many symfony packages, > dompdf/dompdf, > etc relies on being able to use eval(). >
