By wagafo on

My site is in Drupal 11.3.10, and I was notified by the system that there are available updates. I ran "composer upgrade" as usual and my site was upgraded to Drupal 11.4.x-dev.

My composer.json has the following relevant bits:

"minimum-stability": "dev",      (I use some modules with "dev" versions)

"prefer-stable": true,

and

"drupal/core-recommended": "^11",

"drupal/core-composer-scaffold": "^11",

"drupal/core-project-message": "^11",

and also

"drupal/core-dev": "^11

Why is "prefer-stable":true not being respected? 

Should I pin the Drupal version to 11.3 by putting in the lines above something like  "~11.3.0" ?

Categories: Drupal 11.x

Comments

ressa’s picture

ressa
he/him
commented

I just learned a better method from @jaypan, see https://www.drupal.org/forum/support/post-installation/2026-01-30/using-...

wagafo’s picture

wagafo commented

Thanks, indeed, that's better.

wagafo’s picture

wagafo commented

I tried the next day, and the upgrade went fine from 11.3.10 to 11.3.11, even with minimum-stability set to "dev". I can't explain it well, sorry if I say it wrongly, but it looks like when there are security advisories and the new version is still not available, "composer upgrade" wants to move out from the affected versions, and if minimum is set to "dev" it will offer to move core to there.

ressa’s picture

ressa
he/him
commented

Thanks for sharing @wagafo, that's interesting :)

Composer is a great tool to manage versions and dependencies with, but as with any package manager -- to handle everything, make exceptions, allow edge cases, etc. -- things have gotten complex ...

PS. A critique of package management tools such as NPM, Composer, etc.: