Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
there is an ongoing debate about how the version should be pinned (whether to a specific version or a minor/major). That issue is discussed here: https://www.drupal.org/project/drupal/issues/3198340
Regardless of how that debate turns out, the current drupal/core-recommended is vulnerale to CVE-2022-31043
IMO the version should be changed from "6.5.6" to "^6.5", but that debate is being had in the other issue. At the very least, it should be updated now to "6.5.7" to avoid CVE-2022-31043.
Comments
Comment #2
xeM8VfDh CreditAttribution: xeM8VfDh commentedallegedly this will be fixed in a couple days in 9.4.0. I will re-open if it doesnt work.
Comment #3
xeM8VfDh CreditAttribution: xeM8VfDh commentednot entirely convinced this is fixed. @cilefen said it was fixed in https://www.drupal.org/project/drupal/issues/3225966 but as far as I can tell none of the commits there address core-recommended
Comment #4
cilefen CreditAttribution: cilefen commentedStand by.
Comment #5
xeM8VfDh CreditAttribution: xeM8VfDh commentedI stand corrected, 9.3.16 did indeed fix the issue. Thanks for entertaining my confusion @cilefen.