Closed (fixed)
Project:
Drupal core
Version:
10.6.x-dev
Component:
base system
Priority:
Critical
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
28 Jan 2026 at 14:59 UTC
Updated:
18 Feb 2026 at 09:09 UTC
Jump to comment: Most recent
Comments
Comment #2
kentr commentedComment #3
kentr commentedComment #4
catchThis has been issued for all phpunit versions in our supported branches, so we should raise the constaint on main/11.x/11.3.x/10.6.x.
Once that's done, we can decide whether to also do that for 11.2 and 10.5 which are still in security support -nothing should stop people on those versions (or newer versions) updating phpunit themselves though.
Bumping to critical - partly because it's a security release, partly because the next patch release window is in 7 days and it would good to get it into those.
Comment #6
kentr commentedThe MR is a result of running
composer update -W phpunit/phpunit.Comment #7
smustgrave commentedShould it just be targeting phpunit?
Comment #8
kentr commented@smustgrave
I don't know. I figured that would come out in the review process.
composer update phpunit/phpunitonly updates to11.5.46. AFAIK the security fix is in11.5.50: https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50.These do the same as above:
composer require --dev phpunit/phpunit:^11.5composer require --dev phpunit/phpunit:^11composer require --dev phpunit/phpunit:^11.5.50throws errors:I'll revert and let someone else do this.
Comment #9
kentr commentedReverted my last commit.
Needs input from someone more knowledgeable.
Comment #11
mondrakeI think you did the right thing @kentr. The other packages being updated are a must-do based on the constraints dependency hierarchy required to update PHPUnit itself.
Anyway, the steps I followed in the last commit were:
composer update phpunit/phpunit -wcomposer update --lockComment #12
catchYes this looks right.
Comment #13
larowlanCommitted to main - needs new MRs for 11.x and 11.3.x - thanks folks
Comment #19
dww@larowlan asked in Slack for someone to re-roll this for 11.x and 11.3.x.
No cherry-picking worked anywhere. 😅 Recreated on both branches like so:
composer update -W phpunit/phpunitcomposer.jsonto manually bump the phpunit requirement to"^11.5.50"composer update nothing(to regenerate the other touched files)core/tests/PHPStan/composer.jsonto manually bump the phpunit requirement to"^11.5.50"Opened MRs for both.
Comment #21
dwwAlso opened https://git.drupalcode.org/project/drupal/-/merge_requests/14633 for
10.6.xhttps://advisories.gitlab.com/pkg/composer/phpunit/phpunit/CVE-2026-24765/ says "from 9.0.0 before 9.6.33..."
The
composer.lockon10.6.xsays:So seems prudent to upgrade there, too.
Comment #22
dwwComment #23
mondrakeLooks good to me
Comment #26
catchCommitted/pushed to 11.x, thanks!
Unfortunately needs another rebase for 11.3.x and 10.6.x after #3571196: Update symfony/process constraint.
Comment #28
catchNo rebase required, just need to commit them in the opposite order, then they magically apply on top of each other.
Comment #30
catchYep that worked.