Open Social install only possible with insecure Drupal core versions — how to install securely ?

Open on Drupal.org →

Created on 19 August 2025, 27 days ago

Problem

Installing Open Social currently forces Drupal core versions with known security advisories.
- Open Social 13.x requires Drupal core 10.3.9 (security advisory).
- Open Social 12.4.13 requires Drupal core 10.3.x (security advisory).
- Using `composer create-project goalgorilla/social_template:dev-master . --no-interaction` installs Open Social 12.4.2 with Drupal 10.2.5 — both outdated and insecure.

Because the distribution pins specific core and contrib versions, upgrading manually is not straightforward. This blocks new installations from running on a secure version of Drupal core in 2025.

Steps to reproduce

1. Run `composer create-project goalgorilla/social_template:dev-master . --no-interaction`
2. Observe that the installation resolves to Open Social 12.4.2 with Drupal core 10.2.5.
3. Attempt to install Open Social 12.4.13 or 13.x.
4. Observe that these releases require insecure Drupal core versions (10.3.x, 10.3.9).

Proposed resolution

- Update Open Social’s composer constraints to allow installation on a **currently supported and secure Drupal core release**.
- Provide guidance or a template `composer.json` that ensures secure dependencies.
- Optionally, backport patches or create a new minor/patch release that aligns with Drupal core’s security windows.

Remaining tasks

- [ ] Review current core/contrib constraints in Open Social composer.json.
- [ ] Identify the earliest secure Drupal core release compatible with Open Social.
- [ ] Update Open Social release(s) accordingly.
- [ ] Document upgrade or installation steps for end users.

User interface changes

None expected.

API changes

None expected.

Data model changes

None expected.

Thanks a lot for your support, really appreciate it.

💬 Support request

Status

Active

Version

12.4

Component

Installation

Created by

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 26 days ago →
naomi888
I also noticed that Open Social 12.4.13 is marked on drupal.org as a “Stable release covered by the Drupal Security Team” (released June 25, 2025).

This wording can be quite confusing for new users. It seems to imply that the release is secure, while in practice it still depends on Drupal core versions with published security advisories and on some deprecated modules.

Could the maintainers please clarify what “covered by the Security Team” means in this context? From what I understand, it only guarantees that if a new vulnerability is discovered it will be handled through the official Drupal security process — but it does not mean that the release currently has no security issues.

A short note in the release description would really help prevent misunderstandings and save others from going through the same frustration.
Comment 26 days ago →
cilefen
If there are security bugs in releases published as "covered by the Drupal Security Team" report that to the Drupal security team → and cite this issue.
Comment 22 days ago →
🇩🇪Germany Harlor Berlin
I'm not a maintainer but my understanding is that Open Social is kept secure even though it is using an outdated drupal core version by applying patches for known security vulnerabilities.

See 📌 Drupal Core Security Update for OS 12 Active

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024