Problem/Motivation
The upstream CORS middlware dependency, asm89/stack-cors has released a fix for a bug that can result in certain Vary header values being removed in error.
Proposed resolution
Pin asm89/stack-cors to ^2.3. Preferably this would be backported to 11.0, 10.4, and 10.3, as https://www.drupal.org/project/acquia_cookie_vary needs the fix.
Remaining tasks
Fork; MR; Review; Merge; Profit.
User interface changes
None
Introduced terminology
None
API changes
None
Data model changes
None
Release notes snippet
The asm89/stack-cors third party dependency, which adds the appropriate CORS-related headers to some sites has resolved an issue that could have impacts on certain installations. In all cases, the Vary header will not contain fewer values, but in certain configurations, there may be more values in the Vary header following the upgrade.
While this is not anticipated to cause performance problems, increasing variance will undoubtedly result in lower cache hit rates for some configurations.
