chore(deps): update dependency drupal/core-recommended to v10 [security] #101

renovate · 2024-10-03T19:59:57Z

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
drupal/core-recommended	`^9.4` -> `^10.2.11`

GitHub Vulnerability Alerts

CVE-2024-45440

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

CVE-2024-12393

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55634

Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55637

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55636

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55638

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.

This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.

Release Notes

drupal/core-recommended (drupal/core-recommended)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2024-11-17T19:51:57Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: drupal/composer.lock

Command failed: composer update drupal/core-recommended:10.2.11 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires drupal/core-recommended ^10.2.11 -> satisfiable by drupal/core-recommended[10.2.11].
    - drupal/core-recommended 10.2.11 requires drupal/core 10.2.11 -> found drupal/core[10.2.11] but these were not loaded, likely because it conflicts with another require.
  Problem 2
    - drupal/admin_audit_trail is locked to version 1.0.0-beta1 and an update of this package was not requested.
    - drupal/admin_audit_trail 1.0.0-beta1 requires drupal/core ^8 || ^9 -> satisfiable by drupal/core[8.0.0-beta6, ..., 8.9.x-dev, 9.0.0-alpha1, ..., 9.5.x-dev].
    - drupal/core[9.3.0-alpha1, ..., 9.4.0-alpha1] require laminas/laminas-diactoros ^2.1 -> satisfiable by longwave/laminas-diactoros[2.14.1, 2.14.2, 2.14.3, 2.14.x-dev], laminas/laminas-diactoros[2.1.0, ..., 2.26.x-dev].
    - drupal/core[9.4.0-beta1, ..., 9.4.14] require laminas/laminas-diactoros ^2.11 -> satisfiable by longwave/laminas-diactoros[2.14.1, 2.14.2, 2.14.3, 2.14.x-dev], laminas/laminas-diactoros[2.11.0, ..., 2.26.x-dev].
    - drupal/core[9.4.15, ..., 9.5.x-dev] require longwave/laminas-diactoros ^2.14 -> satisfiable by longwave/laminas-diactoros[2.14.1, 2.14.2, 2.14.3, 2.14.x-dev].
    - drupal/core[9.5.0-beta1, ..., 9.5.8] require laminas/laminas-diactoros ^2.14 -> satisfiable by longwave/laminas-diactoros[2.14.1, 2.14.2, 2.14.3, 2.14.x-dev], laminas/laminas-diactoros[2.14.0, ..., 2.26.x-dev].
    - laminas/laminas-diactoros[2.1.0, ..., 2.4.x-dev] require php ^7.1 -> your php version (8.4.12) does not satisfy that requirement.
    - laminas/laminas-diactoros[2.7.0, ..., 2.14.x-dev] require php ^7.3 || ~8.0.0 || ~8.1.0 -> your php version (8.4.12) does not satisfy that requirement.
    - longwave/laminas-diactoros 2.14.1 require php ^7.3 || ~8.0.0 || ~8.1.0 -> your php version (8.4.12) does not satisfy that requirement.
    - laminas/laminas-diactoros[2.15.0, ..., 2.17.x-dev] require php ^7.4 || ~8.0.0 || ~8.1.0 -> your php version (8.4.12) does not satisfy that requirement.
    - laminas/laminas-diactoros[2.18.0, ..., 2.25.x-dev] require php ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.4.12) does not satisfy that requirement.
    - laminas/laminas-diactoros[2.26.0, ..., 2.26.x-dev] require php ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.12) does not satisfy that requirement.
    - laminas/laminas-diactoros[2.5.0, ..., 2.6.x-dev] require php ^7.3 || ~8.0.0 -> your php version (8.4.12) does not satisfy that requirement.
    - longwave/laminas-diactoros 2.14.2 requires php ^7.3 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.4.12) does not satisfy that requirement.
    - longwave/laminas-diactoros[2.14.3, ..., 2.14.x-dev] require php ^7.3 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.12) does not satisfy that requirement.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch 2 times, most recently from ad2e889 to 1b35148 Compare October 9, 2024 08:10

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Oct 9, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 1b35148 to 1491a79 Compare October 9, 2024 10:32

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Oct 9, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 1491a79 to d00c8ea Compare October 28, 2024 16:21

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Oct 28, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from d00c8ea to 6bc63e7 Compare October 28, 2024 18:49

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Oct 28, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 6bc63e7 to a5bdf0f Compare November 17, 2024 16:04

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Nov 17, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from a5bdf0f to ef0f985 Compare November 17, 2024 19:51

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Nov 17, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from ef0f985 to 1c8dc69 Compare December 2, 2024 11:14

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Dec 2, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 1c8dc69 to 4a8060c Compare December 2, 2024 14:06

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Dec 2, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 4a8060c to e262f5e Compare December 7, 2024 13:54

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Dec 7, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from e262f5e to aa108a1 Compare December 7, 2024 15:15

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Dec 7, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from aa108a1 to 61008db Compare December 17, 2024 22:36

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Dec 17, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 61008db to 53d9512 Compare December 18, 2024 02:40

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Dec 18, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 53d9512 to 70cb616 Compare December 22, 2024 16:08

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Dec 22, 2024

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 70cb616 to 7f3997e Compare December 22, 2024 19:07

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Dec 22, 2024

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Jun 22, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from be55009 to 4326f85 Compare July 2, 2025 14:44

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Jul 2, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 4326f85 to c2d7f08 Compare July 2, 2025 21:45

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Jul 2, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from c2d7f08 to 9b14710 Compare July 28, 2025 11:46

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Jul 28, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 9b14710 to c57c09d Compare July 28, 2025 18:34

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Jul 28, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from c57c09d to 56c1a82 Compare August 10, 2025 14:47

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Aug 10, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 56c1a82 to 973c098 Compare August 10, 2025 16:56

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Aug 10, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 973c098 to c3ad196 Compare August 13, 2025 17:11

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Aug 13, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from c3ad196 to eec4495 Compare August 13, 2025 21:15

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Aug 13, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from eec4495 to 54eef89 Compare August 14, 2025 10:49

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Aug 14, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 54eef89 to 6c7cc6c Compare August 14, 2025 12:28

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Aug 14, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 6c7cc6c to d9f1e43 Compare August 19, 2025 13:53

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Aug 19, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from d9f1e43 to 0687f0c Compare August 19, 2025 22:09

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Aug 19, 2025

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 0687f0c to 9de272f Compare August 31, 2025 11:15

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to v10 [security]~~ chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security] Aug 31, 2025

chore(deps): update dependency drupal/core-recommended to v10 [security]

c7d0d9e

renovate bot force-pushed the renovate/packagist-drupal-core-recommended-vulnerability branch from 9de272f to c7d0d9e Compare August 31, 2025 13:55

renovate bot changed the title ~~chore(deps): update dependency drupal/core-recommended to ^9.5.11 [security]~~ chore(deps): update dependency drupal/core-recommended to v10 [security] Aug 31, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency drupal/core-recommended to v10 [security] #101

chore(deps): update dependency drupal/core-recommended to v10 [security] #101

Uh oh!

renovate bot commented Oct 3, 2024 •

edited

Loading

Uh oh!

renovate bot commented Nov 17, 2024 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update dependency drupal/core-recommended to v10 [security] #101

Are you sure you want to change the base?

chore(deps): update dependency drupal/core-recommended to v10 [security] #101

Uh oh!

Conversation

renovate bot commented Oct 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Release Notes

Configuration

Uh oh!

renovate bot commented Nov 17, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: drupal/composer.lock

Uh oh!

Uh oh!

renovate bot commented Oct 3, 2024 •

edited

Loading

renovate bot commented Nov 17, 2024 •

edited

Loading