Problem/Motivation

Discovered late in #3198340: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available, egulias/email-validator's latest tag is just 3.2 instead of 3.2.0.

This has the consequence that we have locked to ~3.2 in core-recommended, which will allow upgrades to any later minor, e.g. 3.3.0. The intent of that issue was to only allow patch level updates, e.g. 3.2.1 but not 3.3.0.

Steps to reproduce

Proposed resolution

Ensure that all tilde version constraints in core-recommended have three components so only patch level updates are allowed.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments

longwave created an issue. See original summary.

xjm’s picture

xjm
she/her
Primary language English
commented
Title: Ensure core-recommended only allows patch level updates » Ensure core-recommended only allows patch level updates, even for dependencies with two-part version numbers
Priority: Normal » Major

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.