Release 4.6.3

[lcharette]

No description provided.

[codecov]

Codecov Report

Merging #1188 (6213730) into master (ccaf4de) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master    #1188   +/-   ##
=========================================
  Coverage     70.69%   70.69%           
  Complexity     1983     1983           
=========================================
  Files           173      173           
  Lines          6903     6903           
=========================================
  Hits           4880     4880           
  Misses         2023     2023           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccaf4de...6213730. Read the comment docs.

[lcharette]

It's ready to merge as 4.6.3, but... whouldn't that be a "soft" breaking change for existing install ? 🤔

[Silic0nS0ldier]

whouldn't that be a "soft" breaking change for existing install

Absolutely, and the break that will be seen on vulnerable sites is "everything stops working because links are broken". From a semver perspective I hate it, from a security perspective its the only way the to be confident the issue is sufficiently addressed. Bad assumptions about data trustworthiness is such a pain, might be worth doing an audit before the next big release (assuming any of us have the time).

If we had a simpler update process (using composer) I'd say do a major version bump and rely on existing vulnerability alert mechanisms in GitHub (and various third party services like the one that tipped us off) to inform users which in such a setup would work well.

[lcharette]

Agree. I don't have enough to justify a new 4.x. version now, and one will probably not be done soon as I'm actively working on 5.0, but this can't wait. I'll leave a warning on the release.