Keeping a Drupal website updated is one of the most important parts of website maintenance and security. However, some administrators may suddenly encounter Composer update failures related to security advisories, even when trying to install official Drupal core updates.
Recently, many Drupal 11 users experienced update issues involving drupal/core-recommended, Symfony packages, and Composer’s newer security blocking features.
This guide explains what causes the problem, how to safely resolve it, and what website owners and developers should know moving forward.
Common error during Drupal 11 Composer updates
A typical error may look similar to this:
drupal/core-recommended 11.3.10 requires symfony/polyfill-intl-idn ~v1.37.0 but these were not loaded, because they are affected by security advisories
Or:
Composer blocked insecure packages
This usually appears while running:
composer update -W
or:
composer require drupal/core-recommended:^11.3 -W
Why this happens
Newer versions of Composer now automatically block packages with known security advisories.
In this case:
- Drupal core-recommended locked a Symfony dependency version
- Symfony later published a security advisory
- Packagist security feeds immediately flagged the package
- Composer refused installation automatically
This can temporarily happen even with official Drupal releases if upstream dependency metadata updates faster than Drupal’s dependency constraints.
The affected package
The issue involved:
- Package: symfony/polyfill-intl-idn
- Advisory: CVE-2026-46644
- Advisory ID: PKSA-dwsq-ppd2-mb1x
The vulnerability affected how certain internationalized domain names (IDN/Punycode) were normalized and validated.
Safe temporary solution
If you are updating Drupal core and encounter this issue before Drupal releases updated dependency constraints, you may temporarily disable Composer’s blocking feature during the update process.
Step 1: Disable temporary blocking
composer config audit.block-insecure false
Step 2: Run the Drupal core update
composer require \ drupal/core-recommended:11.3.10 \ drupal/core-composer-scaffold:11.3.10 \ drupal/core-project-message:11.3.10 \ -W
Then:
composer update -W
Step 3: Run Drupal database updates
drush updatedb -y drush cr
Step 4: Re-enable Composer security blocking
composer config audit.block-insecure true
How to check remaining advisories
After updating, run:
composer audit
This will show any remaining package advisories.
If only the Symfony advisory remains and Drupal has not yet released updated constraints, the safest approach is usually to wait for the official Drupal dependency updates.
Optional: Ignore a single advisory temporarily
Instead of disabling all blocking globally, you may ignore only a specific advisory:
composer config audit.ignore '["PKSA-dwsq-ppd2-mb1x"]'
This is generally safer than disabling the entire Composer audit system.
Important reminders before updating Drupal
Before performing any Composer or Drupal core updates:
- Create complete website and database backups
- Test updates in staging whenever possible
- Check PHP version compatibility
- Verify hosting environment requirements
- Review Drupal module compatibility
- Run composer audit after updates
- Monitor Drupal security advisories regularly
Best practices for Drupal Composer updates
For modern Drupal 10 and Drupal 11 websites:
- Always use drupal/core-recommended
- Keep Composer itself updated
- Avoid manually forcing Symfony package versions unless necessary
- Use -W or –with-all-dependencies during major updates
- Regularly audit installed packages
- Monitor Drupal and Symfony security announcements
Final thoughts
Composer security enforcement is ultimately a good improvement for the PHP ecosystem. However, there may occasionally be temporary synchronization gaps between upstream package advisories and Drupal’s officially recommended dependency versions.
In most cases, the issue is temporary and resolved through later Drupal core updates.
For production websites, always prioritize stability, backups, and proper testing before applying workarounds or manual dependency overrides.
For professional Drupal maintenance, Composer troubleshooting, Drupal migrations, security hardening, and managed website support, visit iBuild.PH Web Solutions and Services.
