Gitlab CI broken because of upstream Symfony security releases that are only available in the `drupal/core-recommended`'s development branch, not in tags (#3591594) · Issues · project / canvas

Gitlab CI broken because of upstream Symfony security releases that are only available in the `drupal/core-recommended`'s development branch, not in tags

Many jobs are currently broken because composer can't install drupal/core-recommended because it's fixed to 11.2.11 one example: https://git.drupalcode.org/project/canvas/-/jobs/9982049 ``` ./composer.json has been updated Running composer update drupal/core-dev drupal/canvas --with-all-dependencies Loading composer repositories with package information Updating dependencies Your requirements could not be resolved to an installable set of packages. Problem 1 - drupal/core-recommended is locked to version 11.2.12 and an update of this package was not requested. - drupal/core-recommended 11.2.12 requires symfony/polyfill-intl-idn ~v1.37.0 -> found symfony/polyfill-intl-idn[v1.37.0] but these were not loaded, because they are affected by security advisories ("PKSA-dwsq-ppd2-mb1x"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config. Problem 2 - Root composer.json requires drupal/canvas @dev -> satisfiable by drupal/canvas[dev-main]. - drupal/canvas dev-main requires drupal/core ^11.2 -> satisfiable by drupal/core[11.2.12, ..., 11.x-dev]. - drupal/core 11.2.12 requires symfony/mime ^7.4.12 -> satisfiable by symfony/mime[v7.4.12, v7.4.13, 7.4.x-dev]. - symfony/mime[v7.4.12, ..., 7.4.x-dev] require symfony/polyfill-intl-idn ^1.10 -> found symfony/polyfill-intl-idn[v1.10.0, ..., 1.x-dev] but these were not loaded, because they are affected by security advisories ("PKSA-dwsq-ppd2-mb1x"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config. You can also try re-running composer require with an explicit version constraint, e.g. "composer require drupal/core-dev:*" to figure out if any version is installable, or "composer require drupal/core-dev:^2.1" if you know which you need. Installation failed, reverting ./composer.json and ./composer.lock to their original content. ```

issue