Updating from 11.3.9 to 11.3.10

By ivk on 30 May 2026 at 14:32 UTC

Dear forum members,

I installed Drupal (11.3.9) using the following line:
composer create-project drupal/recommended-project my_site_name.

When I try to update Drupal to 11.3.10 using the following line:
composer update "drupal/core-*" --with-all-dependencies,

I get the following message:
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1
- Root composer.json requires drupal/core-recommended 11.3.9 -> satisfiable by drupal/core-recommended[11.3.9].
- drupal/core-recommended 11.3.9 requires drupal/core 11.3.9 -> found drupal/core[11.3.9] but these were not loaded, because they are affected by security advisories ("SA-CORE-2026-004"). Review the advisory details above for more information. To ignore the advisories, add their IDs to the "policy.advisories.ignore-id" config or add the package to "policy.advisories.ignore". To turn the feature off entirely, you can set "policy.advisories.block" to false.

I have searched the internet to find out what this means and what I need to do to solve it.
Because it is all new to me, it is (unfortunately still) too cryptic for me.
Can someone explain to me what the above means and what I need to do to solve this?

Thanks in advance!

Comments

Please post your composer

jaypan

Victoria, BC

commented 1 June 2026 at 23:07

Please post your composer.json here, and also post the output of composer prohibits drupal/core 11.3.10.

Contact me to contract me for D7 -> D10/11 migrations.

Thank you for your reply

ivk commented 2 June 2026 at 18:31

This is the content of the file "composer.json" in the folder "drupal":

{
    "name": "drupal/recommended-project",
    "description": "Project template for Drupal projects with a relocated document root",
    "type": "project",
    "license": "GPL-2.0-or-later",
    "homepage": "https://www.drupal.org/project/drupal",
    "support": {
        "docs": "https://www.drupal.org/docs/user_guide/en/index.html",
        "chat": "https://www.drupal.org/node/314178"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://packages.drupal.org/8"
        }
    ],
    "require": {
        "composer/installers": "^2.3",
        "drupal/core-composer-scaffold": "^11.3",
        "drupal/core-recipe-unpack": "^11.3",
        "drupal/core-project-message": "^11.3",
        "drupal/core-recommended": "^11.3"
    },
    "conflict": {
        "drupal/drupal": "*"
    },
    "minimum-stability": "stable",
    "prefer-stable": true,
    "config": {
        "allow-plugins": {
            "composer/installers": true,
            "drupal/core-composer-scaffold": true,
            "drupal/core-recipe-unpack": true,
            "drupal/core-project-message": true,
            "phpstan/extension-installer": true,
            "dealerdirect/phpcodesniffer-composer-installer": true,
            "php-http/discovery": true,
            "php-tuf/composer-integration": true
        },
        "sort-packages": true
    },
    "extra": {
        "drupal-scaffold": {
            "locations": {
                "web-root": "web/"
            }
        },
        "installer-paths": {
            "web/core": [
                "type:drupal-core"
            ],
            "web/libraries/{$name}": [
                "type:drupal-library"
            ],
            "web/modules/contrib/{$name}": [
                "type:drupal-module"
            ],
            "web/profiles/contrib/{$name}": [
                "type:drupal-profile"
            ],
            "web/themes/contrib/{$name}": [
                "type:drupal-theme"
            ],
            "drush/Commands/contrib/{$name}": [
                "type:drupal-drush"
            ],
            "web/modules/custom/{$name}": [
                "type:drupal-custom-module"
            ],
            "web/profiles/custom/{$name}": [
                "type:drupal-custom-profile"
            ],
            "web/themes/custom/{$name}": [
                "type:drupal-custom-theme"
            ],
            "recipes/{$name}": [
                "type:drupal-recipe"
            ]
        },
        "drupal-core-project-message": {
            "include-keys": [
                "homepage",
                "support"
            ],
            "post-create-project-cmd-message": [
                "<bg=blue;fg=white>                                                         </>",
                "<bg=blue;fg=white>  Congratulations, you’ve installed the Drupal codebase  </>",
                "<bg=blue;fg=white>  from the drupal/recommended-project template!          </>",
                "<bg=blue;fg=white>                                                         </>",
                "",
                "<bg=yellow;fg=black>Next steps</>:",
                "  * Install the site: https://www.drupal.org/docs/installing-drupal",
                "  * Read the user guide: https://www.drupal.org/docs/user_guide/en/index.html",
                "  * Get support: https://www.drupal.org/support",
                "  * Get involved with the Drupal community:",
                "      https://www.drupal.org/getting-involved",
                "  * Remove the plugin that prints this message:",
                "      composer remove drupal/core-project-message"
            ]
        }
    }
}

This is the output of the command composer prohibits drupal/core 11.3.10:

In BaseDependencyCommand.php line 102:
  Could not find package "drupal/core" in your project

Which make sense because my core folder is in: "drupal/web/core",

but that is how it was installed by the command:

"composer create-project drupal/recommended-project my_site_name".

In the root (drupal/web) there is no file "composer.json".

I hope that I have given you sufficient information with this.

composer.json & output

ivk commented 9 June 2026 at 15:26

Sorry for the delay. For some reason my original reply is placed in a queue to be checked by a moderator.

The content of "drupal/composer.json" is:

{
    "name": "drupal/recommended-project",
    "description": "Project template for Drupal projects with a relocated document root",
    "type": "project",
    "license": "GPL-2.0-or-later",
    "homepage": "https://www.drupal.org/project/drupal",
    "support": {
        "docs": "https://www.drupal.org/docs/user_guide/en/index.html",
        "chat": "https://www.drupal.org/node/314178"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://packages.drupal.org/8"
        }
    ],
    "require": {
        "composer/installers": "^2.3",
        "drupal/core-composer-scaffold": "^11.3",
        "drupal/core-recipe-unpack": "^11.3",
        "drupal/core-project-message": "^11.3",
        "drupal/core-recommended": "^11.3"
    },
    "conflict": {
        "drupal/drupal": "*"
    },
    "minimum-stability": "stable",
    "prefer-stable": true,
    "config": {
        "allow-plugins": {
            "composer/installers": true,
            "drupal/core-composer-scaffold": true,
            "drupal/core-recipe-unpack": true,
            "drupal/core-project-message": true,
            "phpstan/extension-installer": true,
            "dealerdirect/phpcodesniffer-composer-installer": true,
            "php-http/discovery": true,
            "php-tuf/composer-integration": true
        },
        "sort-packages": true
    },
    "extra": {
        "drupal-scaffold": {
            "locations": {
                "web-root": "web/"
            }
        },
        "installer-paths": {
            "web/core": [
                "type:drupal-core"
            ],
            "web/libraries/{$name}": [
                "type:drupal-library"
            ],
            "web/modules/contrib/{$name}": [
                "type:drupal-module"
            ],
            "web/profiles/contrib/{$name}": [
                "type:drupal-profile"
            ],
            "web/themes/contrib/{$name}": [
                "type:drupal-theme"
            ],
            "drush/Commands/contrib/{$name}": [
                "type:drupal-drush"
            ],
            "web/modules/custom/{$name}": [
                "type:drupal-custom-module"
            ],
            "web/profiles/custom/{$name}": [
                "type:drupal-custom-profile"
            ],
            "web/themes/custom/{$name}": [
                "type:drupal-custom-theme"
            ],
            "recipes/{$name}": [
                "type:drupal-recipe"
            ]
        },
        "drupal-core-project-message": {
            "include-keys": [
                "homepage",
                "support"
            ],
            "post-create-project-cmd-message": [
                "<bg=blue;fg=white>                                                         </>",
                "<bg=blue;fg=white>  Congratulations, you’ve installed the Drupal codebase  </>",
                "<bg=blue;fg=white>  from the drupal/recommended-project template!          </>",
                "<bg=blue;fg=white>                                                         </>",
                "",
                "<bg=yellow;fg=black>Next steps</>:",
                "  * Install the site: https://www.drupal.org/docs/installing-drupal",
                "  * Read the user guide: https://www.drupal.org/docs/user_guide/en/index.html",
                "  * Get support: https://www.drupal.org/support",
                "  * Get involved with the Drupal community:",
                "      https://www.drupal.org/getting-involved",
                "  * Remove the plugin that prints this message:",
                "      composer remove drupal/core-project-message"
            ]
        }
    }
}

The output of the command: "composer prohibits drupal/core 11.3.10"

In BaseDependencyCommand.php line 102:

  Could not find package "drupal/core" in your project

Which makes sense because the folder "core" is not in the folder "drupal" but in the folder "drupal/web" as is installed by the command "composer create-project drupal/recommended-project my_site_name".

When I enter the following command: "composer update "drupal/web/core-*" --with-all-dependencies",

the output is:

composer update "drupal/web/core-*" --with-all-dependencies
Loading composer repositories with package information
Pattern "drupal/web/core-*" listed for update does not match any locked packages.
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing drupal/core (11.3.9): Extracting archive
Generating autoload files
41 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Scaffolding files for drupal/core:
  - Copy [web-root]/.htaccess from assets/scaffold/files/htaccess
  - Copy [web-root]/README.md from assets/scaffold/files/drupal.README.md
  - Copy [web-root]/index.php from assets/scaffold/files/index.php
  - Copy [web-root]/.csslintrc from assets/scaffold/files/csslintrc
  - Copy [web-root]/robots.txt from assets/scaffold/files/robots.txt
  - Copy [web-root]/update.php from assets/scaffold/files/update.php
  - Copy [web-root]/INSTALL.txt from assets/scaffold/files/drupal.INSTALL.txt
  - Copy [web-root]/.eslintignore from assets/scaffold/files/eslintignore
  - Copy [web-root]/.eslintrc.json from assets/scaffold/files/eslintrc.json
  - Copy [web-root]/.ht.router.php from assets/scaffold/files/ht.router.php
  - Copy [web-root]/sites/README.txt from assets/scaffold/files/sites.README.txt
  - Copy [web-root]/example.gitignore from assets/scaffold/files/example.gitignore
  - Copy [web-root]/themes/README.txt from assets/scaffold/files/themes.README.txt
  - Copy [web-root]/modules/README.txt from assets/scaffold/files/modules.README.txt
  - Copy [web-root]/profiles/README.txt from assets/scaffold/files/profiles.README.txt
  - Copy [web-root]/sites/example.sites.php from assets/scaffold/files/example.sites.php
  - Copy [web-root]/sites/development.services.yml from assets/scaffold/files/development.services.yml
  - Copy [web-root]/sites/example.settings.local.php from assets/scaffold/files/example.settings.local.php
  - Copy [web-root]/sites/default/default.services.yml from assets/scaffold/files/default.services.yml
  - Copy [web-root]/sites/default/default.settings.php from assets/scaffold/files/default.settings.php
Found 27 security vulnerability advisories affecting 9 packages.
Run "composer audit" for a full list of advisories.

It wouldn't be drupal/core,

jaypan

Victoria, BC

commented 12 June 2026 at 15:46

It wouldn't be drupal/web/core, as what you are calling is not a path, but rather a library name. The namespace is drupal and the package is core. The reason I asked you to try that, is because drupal/core is listed as a dependency of drupal/core-recommended. Often, when core-recommended cannot be updated, it's an issue of a conflict with the underlying drupal/core library. It's a bit strange to me that you got the result you did when executing the command you did, but I think that we can skip passed it. There as a security exploit found that has been resolved as of 11.3.11, so you should try upgrading to that according to your standard upgrade process. If that does not work, please update us once more, with the command and output (what you provided before was very helpful, I just think it can be resolved by skipping 11.3.10).

Contact me to contract me for D7 -> D10/11 migrations.

I encountered a similar issue

teebo commented 14 June 2026 at 09:11

I encountered a similar issue.
Composer update on a 11.3.9 install was giving me the same issue.

composer require drupal/core-recommended:11.3.11 drupal/core-composer-scaffold:11.3.11 drupal/core-project-message:11.3.11 --update-with-all-dependencies

Gave me a more understandable error:

Problem 1
    - Root composer.json requires drupal/core-recommended 11.3.11 -> satisfiable by drupal/core-recommended[11.3.11].
    - drupal/core-recommended 11.3.11 requires guzzlehttp/psr7 ~2.8.0 -> found guzzlehttp/psr7[2.8.0, 2.8.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-gm5x-j3mz-71n9", "PKSA-jj5t-2zs1-dcfm") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

A Guzzle security issue is blocking the update.
It's not recommended to bypass security advisories, but being a minor issue, I "ignored" the issue like mentioned.
The update ran perfectly afterwards.

Check Composer issues for Drupal core

ressa

he/him

commented 14 June 2026 at 11:11

Recently there have been a few Symfony security updates, which makes Composer block Drupal core updates.

So it's good to check if there is a new Composer issue for Drupal core, where they are usually quickly reported, fixed and a workaround shared. See for example:

Still no succes

ivk commented 24 June 2026 at 14:23

I took some time to see if I could update my site using all your feedback. Sadly, still no succes.

I entered the following commands:

composer require "guzzlehttp/psr7:2.11.0 as 2.8.1"

composer update "drupal/core-*" --with -all-dependencies

Output:

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading drupal/core-recipe-unpack (11.3.12 => 11.3.13)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
  - Upgrading drupal/core-recipe-unpack (11.3.12 => 11.3.13): Extracting archive
Package doctrine/annotations is abandoned, you should avoid using it. No replace                                                  ment was suggested.
Generating autoload files
43 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.

Which suggestes to me that the site is updated to version 11.3.13.

I also got this output:

Direct dependencies required in composer.json:
drupal/core 11.2.14 11.3.13 Drupal is an open source content management platform powering millions of websit...
drupal/core-composer-scaffold 11.3.9  11.3.13 A flexible Composer project scaffold builder.
drupal/core-project-message   11.3.9  11.3.13 Adds a message after Composer installation.

I cleared the chache and checked if the databse needed to be updated, which is not the case.

Still the Drupal rapport shows:

Drupal core 11.3.9
Recommended version:
11.3.13 (2026-Jun-23)
Security update:
11.4.0-rc2 (2026-Jun-17)
Security update:
11.3.12 (2026-Jun-17)
Most recent version:
11.4.0-rc2 (2026-Jun-17)

What am I doing wrong / am I overlooking and what should I do instead?

some background about me

ivk commented 24 June 2026 at 15:25

I am not a professional site manager, but an retired electrical, hardware engineer & designer with some experience in programming, who was asked to build a site. So this is all new to me!

So far, as long as everything goes the way it's supposed to, I can manage. But if that's not the case, I still can't figure out what's going wrong.

So thank you all for helping me (and others).

Remove all minor constraints from core-recommended?

ressa

he/him

commented 24 June 2026 at 18:43

Since I left a comment 14 June which listed recent hurried Composer updates, another one arrived:

#3603733: Update guzzlehttp/psr7 to 2.12.1 and guzzlehttp/guzzle to 7.12.1

Like I wrote, please check the Composer issue for Drupal core if you get one of those baffling Composer errors after an update ... they are usually quickly reported, fixed and a workaround shared.

There is discussion if we should #3600889: Remove all minor constraints from core-recommended, everyone should feel free to share their observations about Drupal and Composer.

Drupal core uses (depends on)

jaypan

Victoria, BC

commented 25 June 2026 at 06:42

Drupal core uses (depends on) Guzzle. The version of Guzzle Drupal is using has had a security release, but Drupal core is not set up to use the updated version of Guzzle yet. When updating with Composer, it is finding that Guzzle has a security hole, so default Composer settings prevent update. Unfortunately, the fix doesn't appear to be as simple as just upgrading the Guzzle version with everything still working as it was; it appears to require additional work.

You have three options that I can see:

I assume a new Drupal release will be out soon enough which will address this.
You can tell composer to ignore those (or all) security bugs in composer libraries. This should allow update with Composer.
If you cannot wait, are are unwilling to, you can try patching Drupal core from the linked issue where this problem is being worked on.

Contact me to contract me for D7 -> D10/11 migrations.

I'm getting closer (I think)

ivk commented 25 June 2026 at 14:55

I went with option 2 and according to the information in composer drupal is now updated to 11.3.13. But the GUI / report still shows version 11.3.9 is installed and updates are needed, even though I have cleared / rebuilt the cache multiple times and in different ways.

Updating from 11.3.9 to 11.3.10

Comments

Please post your composer

Thank you for your reply

composer.json & output

It wouldn't be drupal/core,

I encountered a similar issue

Check Composer issues for Drupal core

Still no succes

some background about me

Remove all minor constraints from core-recommended?

Drupal core uses (depends on)

I'm getting closer (I think)

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community