Why does trakked report a security vulnerability even though I am using the latest Contao version? Some installations report security vulnerabilities, while others do not.
First of all, it is important to know that Contao consists of over 180 packages or bundles. In addition, there are extensions that in turn also require different packages as dependencies. Each of these packages may contain security vulnerabilities for which updates are provided.
In the event of security vulnerabilities in Contao core, you will be informed in advance of the release date and will also receive information from trakked (for example in a blog post or through notifications).
If there are security vulnerabilities in dependencies, such as Symfony, you will receive an automated notification for each security vulnerability and a list of all affected installations. However, we will not create a blog post for this, as there are many different combinations of packages and versions, depending on when you last updated.
So there are security vulnerabilities in Contao itself as well as in the bundles. We recommend that you fix security vulnerabilities as soon as possible. Experience has shown that the time it takes you to determine whether a security vulnerability is relevant to your system always takes longer than the time it takes to install the update. Also see: Am I affected by the Contao security vulnerability?
Our advice therefore: Update your installation, including all packages (trakked does this automatically when you update), and your installation should be green and secure again.