chore: apply security updates march 2026
Security Updates March 2026
Summary
Profile dependency updates: 5 packages updated (constraint widening for minor/major bumps), 1 package removed, 1 package added, and 1 merged-upstream patch removed.
Package Changes
| Package | From | To | Type |
|---|---|---|---|
drupal/devel_entity_updates |
^4.1 (4.2.1) | ^5.0 (5.0.0) | major |
drupal/lightning_media |
~5.0.0 (5.0.0) | ^5.0 (5.1.0) | minor |
drupal/quickedit |
^1.0 | ^2.0 | major |
uncinc/uncinc_default_pages |
^9.2 (9.2.2) | ^10.0 (10.0.0) | major |
drupal/layout_builder_st |
^1.0.0-alpha3 | — | removed |
uncinc/uncinc_drupal_admin_sitemap |
— | ^0.0.4 | added |
Drupal Core
Decision: Skipped — 10.6.5 is the latest in 10.6.x. Only Drupal 11.3.5 available (major upgrade), not appropriate for a security update round.
Patch Changes
| Patch | Package | Action | Reason |
|---|---|---|---|
| #3456919 Config schema fix | drupal/lightning_media |
Removed | Merged upstream in 5.1.0 |
Removed Packages
| Package | Reason |
|---|---|
drupal/layout_builder_st |
No active downstream project uses it. Investigated 3 projects: uncinc-backend (not enabled), leprosy-information.org (not enabled), nldoet.nl (enabled but decommissioned). Projects that still need it can require it directly. |
Added Packages
| Package | Version | Reason |
|---|---|---|
uncinc/uncinc_drupal_admin_sitemap |
^0.0.4 | Moved from project-level requirement to profile so all downstream projects inherit it automatically. |
Outdated Packages (not updated)
| Package | Current | Available | Reason |
|---|---|---|---|
drupal/date_recur |
3.9.3 | — | Blocked by drupal/core ^11
|
drupal/date_recur_modular |
3.3.0 | — | Blocked by drupal/core >=11
|
drupal/gin |
4.x | 5.0.12 | Blocked by drupal/core ^11.2
|
drupal/gin_toolbar |
2.x | 3.0.3 | Blocked by drupal/core ^11.2
|
drupal/moderation_dashboard |
2.x | 4.0.0 | Blocked by drupal/core ^11.2
|
drupal/raven |
6.x | 7.3.7 | Blocked by drupal/core ^11.1
|
drupal/geofield |
^1.55 | 10.x | Deliberate hold — API/config changes |
drupal/video_embed_field |
^2.5.0 | 3.x | Deliberate hold — media config changes |
drupal/elasticsearch_connector |
^7.0 | 9.x | Needs coordinated multi-package upgrade |
cweagans/composer-patches |
^1.7 | 2.x | Complete rewrite, revisit at Drupal 11 |
Pre-existing Issues
None
Notes for Downstream Projects
- Projects with
uncinc/uncinc_drupal_admin_sitemapin their owncomposer.jsoncan remove it — the profile now provides it - Projects that had
layout_builder_stenabled need to either add it to their owncomposer.jsonor uninstall viadrush pm:uninstall layout_builder_st - Profile branch:
dev-feature/security-updates-march-2026
Edited by Walter