Problem/Motivation

https://github.com/advisories/GHSA-wxmh-65f7-jcvw

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#2 3357247-10.1.x-2.patch2.5 KBspokje
#2 3357247-10.0.x-2.patch2.51 KBspokje
#2 3357247-9.4.x-2.patch2.62 KBspokje
#2 3357247-9.5.x-2.patch2.62 KBspokje

Comments

Spokje created an issue. See original summary.

spokje’s picture

spokje
Primary language Dutch
commented
Version: 9.5.x-dev » 9.4.x-dev
StatusFileSize
new 3357247-9.5.x-2.patch2.62 KB
new 3357247-9.4.x-2.patch2.62 KB
new 3357247-10.0.x-2.patch2.51 KB
new 3357247-10.1.x-2.patch2.5 KB
spokje’s picture

spokje
Primary language Dutch
commented
Status: Active » Needs review
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Reviewed & tested by the community

Does what the title says and nothing more.

  • catch committed 72e3bf85 on 9.4.x 
    Issue #3357247 by Spokje: Update guzzlehttp/psr7

  • catch committed 5915c704 on 10.0.x 
    Issue #3357247 by Spokje: Update guzzlehttp/psr7

  • catch committed 9ee1c0f0 on 10.1.x 
    Issue #3357247 by Spokje: Update guzzlehttp/psr7

  • catch committed 24f669fe on 9.5.x 
    Issue #3357247 by Spokje: Update guzzlehttp/psr7
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed

Committed/pushed the respective patches to the respective branches, thanks! Good idea to split this off.

eric_a’s picture

eric_a commented

If I'm not mistaken only core-recommended constraints were updated and not core constraints.

Isn't the current policy still to also up core constraints (caret) for security updates? Meaning not just core-recommended constraints (tilde)?

Like for example when twig/twig was upped in core from ^2.15.0 to ^2.15.3 in 9.4.7. (https://git.drupalcode.org/project/drupal/-/commit/82a7d4dd3077ef16b69f2...)

I think there are more recent examples out there, but not able to give one right now.

eric_a’s picture

eric_a commented

If I'm not mistaken only core-recommended constraints were updated and not core constraints.

Isn't the current policy still to also up core constraints (caret) for security updates? Meaning not just core-recommended constraints (tilde)?

Like for example when twig/twig was upped in core from ^2.15.0 to ^2.15.3 in 9.4.7. (https://git.drupalcode.org/project/drupal/-/commit/82a7d4dd3077ef16b69f2...)

I think there are more recent examples out there, but not able to give one right now.

To be more precise: I am proposing to change ^2.4 to ^2.4.5 for 10.0 and 10.1. It's not an issue for the other branches because guzzlehttp/psr7 is not a core root requirement there.

catch’s picture

catch
he/him
Primary language English
commented

Eric_A I think that's a good idea but we can do it in a dedicated issue, can you open one?

eric_a’s picture

eric_a commented

Eric_A I think that's a good idea but we can do it in a dedicated issue, can you open one?

#3357825: Update guzzlehttp/psr7 constraint

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.