As you may have heard coming Wednesday (March 28th) a security issue for Drupal Core will be released. More information is available at https://www.drupal.org/psa-2018-001.
We will release a new version (1.12) of Open Social as soon as possible after the Drupal Core release is available. This Open Social release will only contain the Drupal Core security fixes. No other changes will be included.
For updating to the, yet to be released, new version you can follow the normal update guide.
Don't want to wait for Open Social 1.12 to be ready? It’s also possible to just update Drupal Core, even before the updated Open Social is released.
You’d have to add "drupal/core": "8.4.6 as 8.4.5" as a dependency to your composer file (assuming that the 8.4 fix is released as 8.4.6) and then run composer update --with-dependencies drupal/core
This will not update Open Social but it should update Drupal Core to the release with the security fix.
In the future this process will be easier when we merge https://www.drupal.org/project/social/issues/2946771.
Feel free to use the comments below for questions regarding this upcoming release.
Comments
Comment #2
bramtenhove commentedComment #3
jaapjan commentedOpen Social 1.12 with the drupal/core 8.4.6 is already available on Packagist. Drupal.org packaging will follow shortly.
Comment #4
bramtenhove commentedThe Open Social release including the Core update was also released on Drupal.org.
Comment #5
jos_s commentedThank you for this explanation.
Is it true that after the update to 1.12 the Drupal core version is still indicated as 8.4.6, but that this is the safe (patched) version?
Comment #6
bramtenhove commentedCorrect, Drupal Core 8.4.6 is the safe version.
Comment #7
jos_s commentedThanks, Bram, I already thought so. But better safe than sorry!