This release was necessary due to a fixed security vulnerability in a third-party package. The affected package is enshrined/svg-sanitize and is used in Contao to remove malicious code from SVG files. A security vulnerability was found in this package, which was fixed in version 0.22 of the package. Unfortunately, this was released as a new 0 version. 0 versions are treated specially in Composer. This allows developers to release packages and inform users of this package that they are not yet entirely sure about the final API of the package and that further 0 versions with API breaks may follow. As a precaution, Composer will never automatically update from 0.21 to 0.22, as would be the case from version 1.0 to 1.1, for example.
Releasing the bug fix for the security vulnerability as a new 0 version is therefore an unfortunate decision, as it now forces projects such as Contao to update the dependencies in composer.json and release new versions themselves so that all users have the opportunity to close this security vulnerability.
Changelog of the fixed issues in Contao 5.5.14:
- #8660 Update `enshrined/svg-sanitize` to version 0.22 (bytehead)
- #8652 Update `spomky-labs/otphp` to version 11 (bytehead)
About Contao 5.5
The first stable version of Contao 5.5 has been released on 15 February 2025 and has been the successor of Contao 5.4. 5.5 has been updated until 18 August 2025, after which it has been replaced by Contao 5.6.
