Drupal 11.4.0 Delay Shows Dependency Patch Pressure on Core Releases
Schedule pressure around Drupal core 11.4.0 exposed a dependency problem behind the delayed June release window. Drupal.org had listed the stable release for the week of 22 June 2026 UTC, but the schedule page later added that the release was delayed because release manager time had gone to two recent core security releases and multiple off-schedule patch releases tied to dependency security updates. Drupal 11.4.0 became available on 1 July 2026, but the delay remains relevant for teams that plan upgrades around minor-release windows.
The issue was not just a missed date. It pointed to a maintenance trade-off in drupal/core-recommended, the Composer metapackage used to pin tested dependency versions for Drupal sites. When upstream security fixes arrive only in dependency minor releases, tighter constraints can leave site owners waiting for a Drupal core release or applying workarounds before they can update.
The clarification followed Drupal core issue #3606498, opened on 26 June 2026 at 10:02 UTC by Dipayan Pramanik. The issue stated that enterprise applications had aligned their internal upgrade planning with the published 11.4.0 release window. Nathaniel Catchpole (catch), a Drupal core release manager, wrote in a comment that two recent core security releases and off-schedule dependency-related patch releases had taken much of the previous three to four weeks of release manager time. He said the release was being held while contributors resolved discussion on issue #3600889.
That related issue, titled “Remove some minor constraints from core-recommended,” proposed a short-term change to remove minor constraints from drupal/core-recommended for Symfony polyfills, Twig, and Guzzle. Its issue summary said off-schedule security releases attached to new minor versions had become more frequent than the dependency-incompatibility problems drupal/core-recommended was designed to guard against. The issue was marked fixed on 29 June 2026 at 15:25 UTC after commits were pushed to 11.x and 11.4.x.
The change is now reflected in Drupal 11.4.0. The release announcement says drupal/core-recommended no longer pins minor versions for dependencies such as Guzzle, Twig, and Symfony Polyfills, allowing security and other updates to be applied without requiring a new Drupal core release. Site owners still need production quality assurance because updated dependencies may not have been tested with Drupal core when they become available.
For release planning, the practical point is narrower than the feature release itself. The 11.4.0 delay showed how dependency security advisories can compete with scheduled minor-release work, especially when patches arrive through upstream minor versions. TDT’s separate Drupal 11.4.0 release story covers the performance, CLI, Brotli, password hashing, and administrative theme changes introduced in the version.


