there is an ongoing debate about how the version should be pinned (whether to a specific version or a minor/major). That issue is discussed here: https://www.drupal.org/project/drupal/issues/3198340

Regardless of how that debate turns out, the current drupal/core-recommended is vulnerale to CVE-2022-31043

IMO the version should be changed from "6.5.6" to "^6.5", but that debate is being had in the other issue. At the very least, it should be updated now to "6.5.7" to avoid CVE-2022-31043.

Comments

xeM8VfDh created an issue. See original summary.

xeM8VfDh’s picture

xeM8VfDh CreditAttribution: xeM8VfDh commented
Status: Active » Closed (works as designed)

allegedly this will be fixed in a couple days in 9.4.0. I will re-open if it doesnt work.

xeM8VfDh’s picture

xeM8VfDh CreditAttribution: xeM8VfDh commented
Status: Closed (works as designed) » Active

not entirely convinced this is fixed. @cilefen said it was fixed in https://www.drupal.org/project/drupal/issues/3225966 but as far as I can tell none of the commits there address core-recommended

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Status: Active » Closed (duplicate)

Stand by.

xeM8VfDh’s picture

xeM8VfDh CreditAttribution: xeM8VfDh commented

I stand corrected, 9.3.16 did indeed fix the issue. Thanks for entertaining my confusion @cilefen.