In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates
The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.
For example, in the future, a Guzzle vendor update like the recent Guzzle security release can be installed by running:
composer update guzzlehttp/guzzle
The change record on drupal/core-recommended and patch-level updates has more detailed information on how this change affects site dependency management.
Drupal security advisories and same-day releases for vendor updates will only be issued if Drupal core is known to be exploitable
It is the Drupal Security Team’s policy to create new core releases and issue security advisories for third-party vendor libraries only if an exploit is possible in Drupal core. However, both the earlier version of the drupal/core-recommended metapackage and Drupal.org file archive downloads restrict sites to the exact Composer dependency versions used in Drupal core. Therefore, in practice, we have issued numerous security advisories (or same-day releases without security advisories) where only contributed or custom code might be vulnerable.
For Drupal 9.4.0 and higher, the Security Team plans to no longer issue these “just-in-case” security advisories for Composer dependency security updates. Instead, the dependency updates will be handled as public security hardenings, and will be included alongside other bugfixes in normal Drupal core patch releases. These security hardenings may be released within a few days as off-schedule bugfix releases if contributed projects are known to be vulnerable, or on the next scheduled monthly bugfix window for uncommon or theoretical vulnerabilities. (Keep in mind that Drupal core often already mitigates vulnerabilities present in its dependencies, so automated security scanners sometimes raise false positives when an upstream CVE is announced.)
Site owners are responsible for monitoring security announcements for third-party dependencies as well as for Drupal projects, and for installing dependency security updates when necessary.
Sites built using .tar.gz or .zip file downloads should convert to drupal/core-recommended for same-day dependency updates
Drupal 9.4 sites built with tarball or zip file archives will no longer receive the same level of security support for core dependencies. Going forward, if core is not known to be exploitable, the core file downloads’ dependencies will be updated in normal bugfix releases within a few days (if contributed projects are known to be vulnerable) to a few weeks (if the vulnerability is uncommon or theoretical).
Sites built with tarball or zip files should convert to using drupal/core-recommended to apply security updates more promptly than the above timeframe.
Drupal 9.3 will receive prompt, best-effort updates until its end of life
Drupal 9.3 receives security coverage until the release of Drupal 9.5.0 in December 2022, and will not include the above improvement to drupal/core-recommended. Therefore, we will still try to provide prompt releases of Drupal 9.3 for vendor security updates when it is possible for us to do so.
Since normal bugfixes are no longer backported to Drupal 9.3, there will already be few to no other changes between its future releases, so dependency updates may be released as normal bugfix releases (rather than security-only releases). Security advisories for Drupal 9.3 vendor updates may still be issued depending on the nature of the vulnerability.
Drupal 7 is not affected by this change and Drupal 7 core file downloads remain fully covered by the Drupal Security Team
For press contacts, please email email@example.com.