Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 105 forks source link

All Craft 3 installs (craftcms/cms) recently flagged as insecure #117

Closed angrybrad closed 1 year ago

angrybrad commented 1 year ago

Context here: https://github.com/craftcms/cms/issues/13336#issuecomment-1599661035

Recently all Craft 3 versions using this package have been (incorrectly) flagged as insecure. I think it's coming from the unbounded < 4.2.1 constraint at the end of https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L94

But as far as I can tell, that unbound constraint has been there for 9 months: https://github.com/Roave/SecurityAdvisories/commit/4ed8a24bbb14c02aae12f8ec386e3e2804f58198

Mainly just looking for help on how to interpret and correct what we're seeing.

Ocramius commented 1 year ago

@angrybrad seems like it's caused by this range: https://github.com/advisories/GHSA-3x74-v64j-qc3f

Ocramius commented 1 year ago

Note: fix the advisory accordingly, and it will be fixed here too 😁

angrybrad commented 1 year ago

@Ocramius thank you! PR fix for the GHSA here: https://github.com/github/advisory-database/pull/2443