Announcing Silverstripe CMS Recipe 4.9.0

Silverstripe CMS Recipe 4.9.0 stable has been released.

This release also includes two security fixes. These patches have been backported to Silverstripe CMS Recipe if you’re not quite ready to upgrade to 4.9.0.


When can we expect 4.8.1 with the backported patches?

1 Like

It’s already been back ported. You need to install:

1 Like

Unfortunately, trying to require these in the root composer.json doesn’t work because of the inflexible requirements from the pre-4.9 recipe-cms. So, at present, one would have to eject from the recipe to get the security updates. Hence my question about a point update to the 4.8 series of the recipe.


  • silverstripe/recipe-cms 4.8.0 requires silverstripe/admin 1.8.0@stable -> found silverstripe/admin[1.8.0] but it conflicts with your root composer.json require (^1.8.1)
1 Like

Ah… came here because I have exactly the same problem.

And additionally, was trying to find out what the ‘@stable’ would mean in this context ("silverstripe/recipe-cms": "~4.9.0@stable"). What would mark a release as stable?

1 Like

@stable disallows anything that’s marked alpha, beta, dev, RC, or the like. It overrides any laxity your composer.json may have in minimum-stability or prefer-stable.

1 Like

Thnx. I assumed the @stable was preventing the 1.8.0 > 1.8.1 update. And thus curious how this 1.8.1 tag in silverstripe-admin would be marked as stable (as I couldn’t find anything about it in the repo). But now I came to understand that the restrictions in the requiremenst of silverstripe/recipe-cms are the problem.
I tried to fork it and make a 4.8.1 tag on my own branch, but that didn’t resolve to a set over installable packages either, unfortunately. But might have missed something in the process…

1 Like

ah… apparently tag 1.8.1 already existed, that’s why it didn’t work.
This one does

1 Like

Glad to see it’s been remedied. Now I have only 2 projects in which to unwind ejecting from the recipe, which had been my approach to get the security updates without launching 4.9 just yet.

Edit: Oh, I see that’s not the official repository. I hope the Silverstripe team will follow suit soon!

1 Like

We didn’t release a new recipe-cms 1.8 version because the two vulnerabilities didn’t have an high enough impact to warrant a full release.

If you don’t want to inline recipe-cms, but still want to install a newer patch release, you can use aliases.

"require": {
  "silverstripe/recipe-cms": "4.8.0",
  "silverstripe/admin": "1.8.1 as 1.8.0"

Going forward, this won’t be an issue anymore because recipe-cms and recipe-core 4.9.0 now ship with ~ constraint which allows you to install a later patch release.

1 Like

Why are some of my SS 4.8.0 sites now showing 4.9.0 components in composer.lock? This for example:

        "name": "silverstripe/cms",
        "version": "4.9.0",
        "source": {
            "type": "git",
            "url": "",
            "reference": "9f7262f99daccda72ac3f95b30e4386c6b78569a"

When my composer.json file specifies:

"require": {
    "silverstripe/recipe-plugin": "^1",
    "silverstripe/recipe-core": "4.8.0",

@Thrash_Cardiom Can you post your full composer.json?

silverstripe/recipe-core doesn’t include silverstripe/cms so something else must be requiring it.

1 Like

When can we expect 4.8.1 with the backported patches?

Thanks for letting me know it’s been resolved . With this, I am left with only 2 projects that need to be unwound before ejecting from the recipe, which is the approach I used to obtain the security updates without launching 4.9.

That doesn’t seem to be the official repository I see. It will be great to see the Silverstripe team following suit shortly!

This new module has been added to silverstripe / recipe -CMS which is the recommended method of managing Silverstripe CMS dependencies in a project.