Drupal Core Composer Dependencies Security Policy Updated

Here are the security policy updates for Drupal Core Composer Dependencies PSA-2022-06-20:

In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates

The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.

Drupal security advisories and same-day releases for vendor updates will only be issued if Drupal core is known to be exploitable

It is the Drupal Security Team's policy to create new core releases and issue security advisories for third-party vendor libraries only if an exploit is possible in Drupal core. However, both the earlier version of the drupal/core-recommended metapackage and Drupal.org file archive downloads restrict sites to the exact Composer dependency versions used in Drupal core. Therefore, in practice, Drupal Security Team have issued numerous security advisories where only contributed or custom code might be vulnerable.

For Drupal 9.4.0 and higher, the Security Team plans to no longer issue these "just-in-case" security advisories for Composer dependency security updates. Instead, the dependency updates will be handled as public security hardenings, and will be included alongside other bugfixes in normal Drupal core patch releases. These security hardening may be released within a few days as off-schedule bugfix releases if contributed projects are known to be vulnerable, or on the next scheduled monthly bugfix window for uncommon or theoretical vulnerabilities.

Sites built using .tar.gz or .zip file downloads should convert to drupal/core-recommended for same-day dependency updates

Drupal 9.4 sites built with tarball or zip file archives will no longer receive the same level of security support for core dependencies. Going forward, if core is not known to be exploitable, the core file downloads' dependencies will be updated in normal bugfix releases within a few days to a few weeks.

Sites built with tarball or zip files should convert to using drupal/core-recommended to apply security updates more promptly than the above timeframe.

Drupal 9.3 will receive prompt, best-effort updates until its end of life

Drupal 9.3 receives security coverage until the release of Drupal 9.5.0 in December 2022, and will not include the above improvement to drupal/core-recommended. Therefore, the Security team will still try to provide prompt releases of Drupal 9.3 for vendor security updates when it is possible for them to do so.

Since normal bugfixes are no longer backported to Drupal 9.3, there will already be few to no other changes between its future releases, so dependency updates may be released as normal bugfix releases. Security advisories for Drupal 9.3 vendor updates may still be issued depending on the nature of the vulnerability.

Drupal 7 is not affected by this change and Drupal 7 core file downloads remain fully covered by the Drupal Security Team

Drupal 7 core includes only limited use of third-party dependencies (in particular, the jQuery and jQuery UI JavaScript packages). Therefore, Drupal 7 is not affected by this policy change. Note that Drupal 7 sites that use third-party libraries with Drupal 7 contributed modules must still monitor and apply updates for those third-party libraries.