Skip to content

For 1.6.0 and 2.0.0: Update composer.json.default and composer.lock.default & from15 documentation to target Drupal 10.6.9 and 11.3.x(not sure what version yet) #158

Open
Task
Open
For 1.6.0 and 2.0.0: Update composer.json.default and composer.lock.default & from15 documentation to target Drupal 10.6.9 and 11.3.x(not sure what version yet)#158
Task
Assignees
DiegoPino
Labels
ComposerDancing to the tune of dependenciesDrupal 109 + 2 = 10Drupal 11The one before 12, after 10Release DutiesThings nobody wants to doTwig{{ hello! }}documentationImprovements or additions to documentation
Milestone
1.6.0
@DiegoPino

Description

@DiegoPino
DiegoPino
opened on May 20, 2026

What?

See https://symfony.com/blog/twig-3-26-0-released and https://symfony.com/blog/cve-2026-46640-arbitrary-php-code-execution-via-self-string-macro-reference-compilation

10.6.8 depends on twig twig/twig ~v3.22.0 all affected by security advisories ("PKSA-5k7f-wvjj-jrgw", "PKSA-sjvz-tbbr-vwth", "PKSA-h8hf-ytnd-5t9q", "PKSA-wwb1-81rc-pd65", "PKSA-kvv6-36cr-fkzb", "PKSA-n14z-jjjg-g8vd", "PKSA-3mcc-k66d-pydb", "PKSA-gw7n-z4yx-7xjt", "PKSA-dpx1-78wg-1kqs", "PKSA-21g2-dzjv-sky5")

This will be done May 21st. If not, composer install won't allow users to actually install given the strict audit flags used in production

@alliomeria this is a bit of extra work

Metadata

Metadata

Assignees

Labels

ComposerDancing to the tune of dependenciesDrupal 109 + 2 = 10Drupal 11The one before 12, after 10Release DutiesThings nobody wants to doTwig{{ hello! }}documentationImprovements or additions to documentation

Type

Task

Fields

No fields configured for Task.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions