Security Updates May 2026
Security Updates May 2026
Summary
Applied Drupal core security patch 10.6.5 → 10.6.8 (released 2026-05-06) and updated 20+
packages to latest compatible versions. Widened drupal/diff constraint to ^2.0 (Drupal 11
support release, compatible with core 10.x). All patches applied cleanly.
Package Changes
| Package | From | To | Type |
|---|---|---|---|
| drupal/core | 10.6.5 | 10.6.8 | Patch — security release (2026-05-06) |
| drupal/diff | 1.10.0 | 2.0.0 | Major — Drupal 11 support (core ^10.5||^11) |
| drupal/commerce | 3.3.4 | 3.3.5 | Patch |
| drupal/config_ignore | 3.3.0 | 3.4.0 | Minor |
| drupal/date_recur | 3.6.1 | 3.8.2 | Minor |
| drupal/date_recur_modular | 3.1.0 | 3.2.1 | Minor |
| drupal/devel_entity_updates | 4.2.1 | 5.0.0 | Major (constraint was already ^5.0, lock was stale) |
| drupal/lightning_media | 5.0.0 | 5.1.0 | Minor |
| drupal/linkit | 7.0.13 | 7.0.14 | Patch |
| drupal/nagios | 1.25.0 | 1.26.0 | Patch |
| drupal/pathauto | 1.14.0 | 1.15.0 | Patch |
| drupal/quickedit | 1.0.5 | 2.0.1 | Major (constraint was already ^2.0, lock was stale) |
| drupal/redirect | 1.12.0 | 1.13.0 | Patch |
| drupal/scheduler_content_moderation_integration | 3.0.4 | 3.0.5 | Patch |
| drupal/tagify | 1.2.50 | 1.2.51 | Patch |
| drupal/webform | 6.3.0-beta8 | 6.3.0-beta9 | Patch |
| drush/drush | 12.5.3 | 13.7.2 | Major — transitive dep |
| uncinc/uncinc_default_pages | 9.2.2 | 10.0.0 | Major (constraint was already ^10.0, lock was stale) |
| uncinc/uncinc_drupal_admin_sitemap | (new) | 0.0.4 | Installed for first time |
Drupal Core
Decision: Updated (patch)
- From 10.6.5 → 10.6.8 (security release published 2026-05-06)
- Drupal 11.3.9 also available — skipped, major jump affecting all downstream projects
Patch Changes
No patches removed or re-rolled. All 13 patches applied cleanly on updated packages.
| Patch | Package | Action | Reason |
|---|---|---|---|
| 2894747 Views AJAX | drupal/core | Kept | Applies cleanly on 10.6.8; issue not fixed in core 10.x |
| 2031261 SQLite inserts | drupal/core | Kept | Applies cleanly on 10.6.8 |
| 3132979 Sierra Exception | drupal/date_recur_modular | Kept | Fix committed to 3.2.x on 2026-04-24 but not yet in 3.2.1 release |
| 3125682 Chunked uploads | drupal/lightning_media | Kept | Applies cleanly on 5.1.0 |
| 3457016, 3411952, 3459341 | drupal/lightning_workflow | Kept | All apply cleanly; not updated this run |
Outdated Packages (not updated)
| Package | Current | Available | Reason |
|---|---|---|---|
| cweagans/composer-patches | 1.7.3 | 2.0.0 | Known: 2.x is a complete rewrite, skip until D11 migration |
| drupal/date_recur | 3.8.2 | 3.9.3 | Blocked: requires core ^11 + PHP >=8.3 |
| drupal/date_recur_modular | 3.2.1 | 3.3.0 | Blocked: requires date_recur ^3.9 (needs core ^11) |
| drupal/gin | 4.1.3 | 5.0.12 | Blocked: requires core ^11.2 |
| drupal/gin_toolbar | 2.1.0 | 3.0.3 | Blocked: requires core ^11.2 |
| drupal/moderation_dashboard | 3.1.0 | 4.0.0 | Blocked: requires core ^11.2 |
| drupal/raven | 6.0.16 | 7.3.9 | Blocked: requires core ^11.1 |
| drupal/elasticsearch_connector | 7.0.0-alpha7 | 9.0.0-alpha3 | Intentional skip (triple blocker) |
| drupal/geofield | 1.67.0 | 10.3.4 | Intentional skip (needs dedicated upgrade ticket) |
| drupal/video_embed_field | 2.7.0 | 3.1.0 | Intentional skip (media config changes) |
Pre-existing Issues
Lock file was stale (out of sync with composer.json) due to being gitignored.
Resolved automatically by composer update -W.
Notes for Downstream Projects
- Core 10.6.8 security patch — all projects should apply ASAP
-
drupal/diff 2.0.0 — widened constraint; downstream projects using
^1.xshould widen to^2.0 - Profile branch to reference:
dev-feature/security-updates-may-2026