At Morpht, we love to keep our Continuous Integration (CI) pipelines clean. Like neglected beer lines often deliver untasty beer, neglected CI lines could deliver insecure code.
We have a nice nightly job, which tests our Convivial Profile. We use the profile for our beloved Convivial suite of sites (e.g. demo.convivial.io, govcms.convivial.io, govflix.convivial.io or www.convivial.io). We care about the quality of these, especially because we like our code poured fresh and clean from the tap :)
The nightly job runs a security scan on the above. It triggered yesterday and alerted us about a security vulnerability - with Drupal core! We jumped on the issue and noticed that both the current core 11.0.2 and 10.3.3 depend on a vulnerable twig package.
Naveen reviewed the CVE-2024-45411 published for twig < 3.14.0. It was reporting a High (8.6/10) severity vulnerability. Naveen followed up by submitting a Drupal core issue 3473195.
You can see the d.o. issue got very busy a few hours later and we can expect new minor versions of all supported Drupal cores very soon.
This is a nice little story that tells me our CI pipelines are running clean and catching vulnerabilities before they hit client websites.