From 2da23cfdb79ac97ec8a33ca992d89bc88f552499 Mon Sep 17 00:00:00 2001 From: Jeppe Krogh Date: Thu, 18 Jun 2026 08:40:36 +0200 Subject: [PATCH 1/4] Security updates --- composer.lock | 55 +++++++++++++------------- web/sites/default/default.settings.php | 17 ++++++++ 2 files changed, 45 insertions(+), 27 deletions(-) diff --git a/composer.lock b/composer.lock index f8328bc..a1650db 100644 --- a/composer.lock +++ b/composer.lock @@ -1014,16 +1014,16 @@ }, { "name": "drupal/core", - "version": "11.3.11", + "version": "11.3.12", "source": { "type": "git", "url": "https://github.com/drupal/core.git", - "reference": "a708c1023aa2c45bfd02770acf7978d665e01d04" + "reference": "743f30ab2cb2ea2166499b1b568988ddc9f4ee02" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/drupal/core/zipball/a708c1023aa2c45bfd02770acf7978d665e01d04", - "reference": "a708c1023aa2c45bfd02770acf7978d665e01d04", + "url": "https://api.github.com/repos/drupal/core/zipball/743f30ab2cb2ea2166499b1b568988ddc9f4ee02", + "reference": "743f30ab2cb2ea2166499b1b568988ddc9f4ee02", "shasum": "" }, "require": { @@ -1048,7 +1048,7 @@ "ext-xml": "*", "ext-zlib": "*", "guzzlehttp/guzzle": "^7.10", - "guzzlehttp/psr7": "^2.8.0", + "guzzlehttp/psr7": "^2.10.2", "masterminds/html5": "^2.7", "mck89/peast": "^1.17.4", "pear/archive_tar": "^1.4.14", @@ -1181,13 +1181,13 @@ ], "description": "Drupal is an open source content management platform powering millions of websites and applications.", "support": { - "source": "https://github.com/drupal/core/tree/11.3.11" + "source": "https://github.com/drupal/core/tree/11.3.12" }, - "time": "2026-05-28T11:26:22+00:00" + "time": "2026-06-17T15:59:46+00:00" }, { "name": "drupal/core-composer-scaffold", - "version": "11.3.11", + "version": "11.3.12", "source": { "type": "git", "url": "https://github.com/drupal/core-composer-scaffold.git", @@ -1231,13 +1231,13 @@ "drupal" ], "support": { - "source": "https://github.com/drupal/core-composer-scaffold/tree/11.3.11" + "source": "https://github.com/drupal/core-composer-scaffold/tree/11.3.12" }, "time": "2026-02-10T11:39:53+00:00" }, { "name": "drupal/core-project-message", - "version": "11.3.11", + "version": "11.3.12", "source": { "type": "git", "url": "https://github.com/drupal/core-project-message.git", @@ -1272,33 +1272,33 @@ "drupal" ], "support": { - "source": "https://github.com/drupal/core-project-message/tree/11.3.11" + "source": "https://github.com/drupal/core-project-message/tree/11.3.12" }, "time": "2025-02-03T10:59:29+00:00" }, { "name": "drupal/core-recommended", - "version": "11.3.11", + "version": "11.3.12", "source": { "type": "git", "url": "https://github.com/drupal/core-recommended.git", - "reference": "ea735f52395e28eba8492dcbcd5608af70c0b0cc" + "reference": "c1dbae25caa2ab70e89f40b0a11312526e7f5365" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/drupal/core-recommended/zipball/ea735f52395e28eba8492dcbcd5608af70c0b0cc", - "reference": "ea735f52395e28eba8492dcbcd5608af70c0b0cc", + "url": "https://api.github.com/repos/drupal/core-recommended/zipball/c1dbae25caa2ab70e89f40b0a11312526e7f5365", + "reference": "c1dbae25caa2ab70e89f40b0a11312526e7f5365", "shasum": "" }, "require": { "asm89/stack-cors": "~v2.3.0", "composer/semver": "~3.4.4", "doctrine/lexer": "~3.0.1", - "drupal/core": "11.3.11", + "drupal/core": "11.3.12", "egulias/email-validator": "~4.0.4", "guzzlehttp/guzzle": "~7.10.0", "guzzlehttp/promises": "~2.3.0", - "guzzlehttp/psr7": "~2.8.0", + "guzzlehttp/psr7": "~2.10.4", "masterminds/html5": "~2.10.0", "mck89/peast": "~v1.17.4", "pear/archive_tar": "~1.6.0", @@ -1356,9 +1356,9 @@ ], "description": "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.", "support": { - "source": "https://github.com/drupal/core-recommended/tree/11.3.11" + "source": "https://github.com/drupal/core-recommended/tree/11.3.12" }, - "time": "2026-05-28T11:26:22+00:00" + "time": "2026-06-17T15:59:46+00:00" }, { "name": "drupal/csv_serialization", @@ -2744,16 +2744,16 @@ }, { "name": "guzzlehttp/psr7", - "version": "2.8.1", + "version": "2.10.4", "source": { "type": "git", "url": "https://github.com/guzzle/psr7.git", - "reference": "718f1ee6a878be5290af3557aeda0c91278361d9" + "reference": "d2a1a094e396da8957e797489fddaf860c340cfc" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/psr7/zipball/718f1ee6a878be5290af3557aeda0c91278361d9", - "reference": "718f1ee6a878be5290af3557aeda0c91278361d9", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/d2a1a094e396da8957e797489fddaf860c340cfc", + "reference": "d2a1a094e396da8957e797489fddaf860c340cfc", "shasum": "" }, "require": { @@ -2768,8 +2768,9 @@ }, "require-dev": { "bamarni/composer-bin-plugin": "^1.8.2", - "http-interop/http-factory-tests": "0.9.0", - "phpunit/phpunit": "^8.5.44 || ^9.6.25" + "http-interop/http-factory-tests": "1.1.0", + "jshttp/mime-db": "1.54.0.1", + "phpunit/phpunit": "^8.5.52 || ^9.6.34" }, "suggest": { "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses" @@ -2840,7 +2841,7 @@ ], "support": { "issues": "https://github.com/guzzle/psr7/issues", - "source": "https://github.com/guzzle/psr7/tree/2.8.1" + "source": "https://github.com/guzzle/psr7/tree/2.10.4" }, "funding": [ { @@ -2856,7 +2857,7 @@ "type": "tidelift" } ], - "time": "2026-03-10T09:55:26+00:00" + "time": "2026-05-29T12:59:07+00:00" }, { "name": "justinrainbow/json-schema", diff --git a/web/sites/default/default.settings.php b/web/sites/default/default.settings.php index e1c965e..eabb829 100644 --- a/web/sites/default/default.settings.php +++ b/web/sites/default/default.settings.php @@ -842,6 +842,23 @@ # $settings['migrate_file_public_path'] = ''; # $settings['migrate_file_private_path'] = ''; +/** + * Media oEmbed discovery trusted host configuration. + * + * The oEmbed spec allows for provider/resource discovery by fetching a URL. The + * patterns here restrict which domains Drupal will make a request to for oEmbed + * discovery. + * + * For example: + * @code + * $settings['media_oembed_discovery_trusted_host_patterns'] = [ + * '^www\.example\.com$', + * ]; + * @endcode + * will allow the site to make oEmbed discovery requests to www.example.com. + */ +# $settings['media_oembed_discovery_trusted_host_patterns'] = []; + /** * Load local development override configuration, if available. * From 022585d159052b8ec99e12b484e469a27dd088a3 Mon Sep 17 00:00:00 2001 From: Jeppe Krogh Date: Thu, 18 Jun 2026 08:41:50 +0200 Subject: [PATCH 2/4] Added pull request template --- .github/PULL_REQUEST_TEMPLATE.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..333ba2f --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,18 @@ +#### Link to ticket + +Please add a link to the ticket being addressed by this change. + +#### Description + +Please include a short description of the suggested change and the reasoning behind the approach you have chosen. + +#### Screenshot of the result + +If your change affects the user interface you should include a screenshot of the result with the pull request. + +#### Checklist + +- [ ] My code is covered by test cases. +- [ ] My code passes our test (all our tests). +- [ ] My code passes our static analysis suite. +- [ ] My code passes our continuous integration process. From 902af57285ec023c61203b462c3510bf0bafa75a Mon Sep 17 00:00:00 2001 From: Jeppe Krogh Date: Thu, 18 Jun 2026 09:47:48 +0200 Subject: [PATCH 3/4] Updated changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fb835c..e500fc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +* [#15](https://github.com/itk-dev/project-database/pull/15) + Security updates + ### Changed - Upgraded Drupal core 9.3 → 11.3 and contrib to Drupal 11-compatible releases. From 351ee54990289f3f46ceeb2f39e69f6b41e96c4d Mon Sep 17 00:00:00 2001 From: Jeppe Krogh Date: Thu, 18 Jun 2026 09:50:21 +0200 Subject: [PATCH 4/4] Coding standards --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e500fc0..0939f09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,12 +12,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed -- Upgraded Drupal core 9.3 → 11.3 and contrib to Drupal 11-compatible releases. -- Switched runtime to PHP 8.4; Drush 10 → 13. -- Aligned the development setup with the itk-dev `drupal-11` Docker template +* Upgraded Drupal core 9.3 → 11.3 and contrib to Drupal 11-compatible releases. +* Switched runtime to PHP 8.4; Drush 10 → 13. +* Aligned the development setup with the itk-dev `drupal-11` Docker template (docker-compose with healthchecks, `nginx-unprivileged`, Mailpit, GitHub Actions workflows and lint configuration). ### Removed -- Removed the abandoned `drupal/console` dependency. +* Removed the abandoned `drupal/console` dependency.