This release also updates several dependencies for upstream security releases:
Twig is updated to 3.26.0 for a Twig security fix that were released today. Drupal core is affected by these vulnerabilities, so Drupal core's composer.json constraint for Twig has also been increased.
It is recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Symfony is updated to 7.4.12 for Symfony security fixes that were released today. Drupal core is affected by some of these vulnerabilities, so Drupal core's composer.json constraints for some Symfony packages have also been increased.
Symfony was previously on 7.3 in Drupal 11.2, but is updated according to our dependency update policy. Site owners should review their applications for Symfony 7.3 compatibility and may see additional deprecation warnings in the log. (That said, support for 11.2 ends on June 17, so an update to at least Drupal 11.3 and Symfony 7.4 will soon be needed regardless).
This release updates the pinned versions of Composer to 2.9.8 for a Composer security fix that was released recently. Drupal core does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.
underscore.js has been updated to 1.13.8 as hardening for a security issue in that project. This update was previously committed to 11.3, but not backported.
This release also updates several dependencies for upstream security releases:
Twig is updated to 3.26.0 for Twig security fixes that were released today. Drupal core is affected by these vulnerabilities, so Drupal core's composer.json constraint for Twig has also been increased.
It is recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Symfony is updated to 7.4.12 for Symfony security fixes that were released today. Drupal core is affected by some of these vulnerabilities, so Drupal core's composer.json constraints for some Symfony packages have also been increased.
This release updates the pinned versions of Composer to 2.9.8 for a Composer security fix that was released recently. Drupal core does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.
This release also updates several dependencies for upstream security releases:
Twig is updated to 3.26.0 for Twig security fixes that were released today. Drupal core is affected by these vulnerabilities, so Drupal core's composer.json constraint for Twig has also been increased.
It is recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Symfony is updated to 6.4.40 for Symfony security fixes that were released today. Drupal core is affected by some of these vulnerabilities, so Drupal core's composer.json constraints for some Symfony packages have also been increased.
This release updates the pinned versions of Composer to 2.9.8 for a Composer security fix that was released recently. Drupal core does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.
underscore.js has been updated to 1.13.8 as hardening for a security issue in that project. This update was previously committed to 11.3, but not backported.
In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
