This release was necessary due to a fixed security vulnerability in a third-party package. The affected package is enshrined/svg-sanitize and is used in Contao to remove malicious code from SVG files. A security vulnerability was found in this package, which was fixed in version 0.22 of the package. Unfortunately, this was released as a new 0 version. 0 versions are treated specially in Composer. This allows developers to release packages and inform users of this package that they are not yet entirely sure about the final API of the package and that further 0 versions with API breaks may follow. As a precaution, Composer will never automatically update from 0.21 to 0.22, as would be the case from version 1.0 to 1.1, for example.
Releasing the bug fix for the security vulnerability as a new 0 version is therefore an unfortunate decision, as it now forces projects such as Contao to update the dependencies in composer.json and release new versions themselves so that all users have the opportunity to close this security vulnerability.
About Contao 4.13 LTS
The first stable version of Contao 4.13 has been released on February 17, 2022, replacing Contao 4.9 as the long term support version. As an LTS version, 4.13 has been provided with bug fixes until February 14, 2025 and security-related updates until February 14, 2026. Contao 5.3 has been the next LTS version of Contao and has been released in February 2024, ensuring a stress-free transition.
Add a comment