Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Symfony has done a security release of symfony/serializer - after co-ordination with their security team we decide that the release does not represent a risk to core code or known contrib code. Therefore we decided to release the updates to the meta-packages as a regular patch release.
Proposed resolution
composer update --with=phpunit/phpunit:^8 -W
Remaining tasks
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
@todo
Comment | File | Size | Author |
---|---|---|---|
#12 | 3251000-9.2.x-11.patch | 9.44 KB | alexpott |
#12 | 3251000-9.1.x-11.patch | 13.64 KB | alexpott |
#12 | 3-11-interdiff.txt | 1.75 KB | alexpott |
#8 | 3251000-8.patch | 38.69 KB | alexpott |
#8 | 2-8-interdiff.txt | 715 bytes | alexpott |
Comments
Comment #2
alexpottComment #3
alexpottHere's the minimum patch for 9.2.x
Running https://github.com/fabpot/local-php-security-checker/releases shows
In order to update composer (a dev dependency) to a secure version we need to update justinrainbow/json-schema too.
Comment #4
alexpottHere's the same patch as #3 for 9.1.x as that is still security supported.
Comment #5
alexpottFWIW Symfony 3 is not affected so Drupal 8.9 is not either.
Comment #6
alexpottAh #4 didn't update composer/composer for the security issue on 9.1.x. Because:
So bumping composer/xdebug-handler too.
Comment #8
alexpottOh yep now we're using SF 5 release candidates we can bump minimum stability on 9.3.x and 9.4.x
Comment #11
andypostLooks ready to go
Comment #12
alexpottAh we need the composer test fixes from #3224000: Update dependencies for Drupal 9.3 on 9.1.x and 9.2.x
Comment #14
catchThe 9.3.x and 9.4.x patches are in, waiting for the bot on 9.2.x and 9.1.x
Comment #18
catchAlright that's everything into 9.4, 9.3, 9.2, and 9.1 respectively. 9.0 is out of support. 8.9 is both out of support and unaffected anyway.
Comment #19
catchComment #20
catch