- Issue created by @loopy1492
- π¬π§United Kingdom longwave UK
Thanks for reporting; this is the right place for core-recommended issues.
The security team and release managers are aware of this issue and we are discussing next steps. At present we do not believe core is vulnerable but that doesn't prevent composer audit or roave/security-advisories from complaining.
- π¬π§United Kingdom longwave UK
Next steps here are to get MRs opened for all supported branches.
- First commit to issue fork.
- π¬π§United Kingdom alexpott πͺπΊπ
alexpott β changed the visibility of the branch 10.5.x to hidden.
- π¬π§United Kingdom alexpott πͺπΊπ
alexpott β changed the visibility of the branch 11.1.x to hidden.
- π¬π§United Kingdom alexpott πͺπΊπ
alexpott β changed the visibility of the branch 3503195-twig-needs-updating to hidden.
- π¬π§United Kingdom alexpott πͺπΊπ
We should be green here on all the branches...
- π¬π§United Kingdom catch
Until this is in a patch release of Drupal core increasing the constraints (probably Wednesday 5th February because we're confident that Drupal core is not affected by the actual vulnerability and Twig has a history of breaking things in minor releases including very recently), you can workaround the constraint by aliasing the Twig version in composer.
An example of that is here: https://mikemadison.net/blog/2021/1/20/composer-aliases-how-to-fake-a-de...
- πΊπΈUnited States loopy1492
Thanks for this. Since the team doesn't seem to believe that this issue won't threaten Drupal core, we'll go ahead and audit:ignore it until there's a release.
- πΊπΈUnited States jackfoust
@loopy1492 how did you set up your ignore? the CVE number doesn't seem to be working for me.
- πΊπΈUnited States greggles Denver, Colorado, USA
Adding what I believe is the audit ignore syntax to the issue summary to help folks as a workaround until this gets packaged.