Is it correct that the security advisories contain paid(!) TYPO3 ELTS releases?

[snk-spo]

For example typo3/cms-core conflicts for >=10,<10.4.39. But 10.4.38 and higher are so called "ELTS", meaning Extended (i.e. paid) LTS, releases, however. Same for TYPO3 8 and 9 and 11, v10 here was just an example. Also the ELTS versions are not even the latest ones, but some totally random ones, with newer security releases existing: e.g. typo3/cms-core 8.7.54 is the latest security-related ELTS for v8, but the advisory limits to <=8.7.51 and for typo/cms, which in turn requires typo3/cms-core implicitly, it limits to <=8.7.38 (which is even more random: the Latest v8 free release 8.7.32.

This leads to the situation that doing a composer update on a non-ELTS TYPO3 10 installation fails for all packages if you are not paying (because a single conflict blocks everything else). To update any package you have to call composer update vendor/package indivudually, then, which is very tedious and error-prone, if you just want to get your setup to the latest non-paid versions of all packages.

So devs will be annoyed and not even update the free/open-source insecure packages, because this can easily take some hours with checking every single (implicit!) package by hand and totally contradicts what both, composer and the security advisories, are intending: easy, fast and secure updatability.

[Ocramius]

This sounds like something to bring up with upstream typo3: this package merely has the exclusion ranges as published in the advisories.

[snk-spo]

Just for the sake of completeness:

roave pushes responsibility to TYPO3, TYPO3 pushes it forth to the developer, nobody seems to believe this is any issue: https://forge.typo3.org/issues/101675

[Ocramius]

There is no responsibility here: you are consuming a package that is provided as-is, and if typo3 says their free version range is affected by security issues, then that's it.

This is just a different format for what the upstream advisories say.

I have no idea what typo3-oldstable costs in its paid version, but security, especially for old, stable and (I assume) profitabe production software is to be taken seriously.

[ohader]

Just for the sake of completeness:

roave pushes responsibility to TYPO3, TYPO3 pushes it forth to the developer, nobody seems to believe this is any issue: https://forge.typo3.org/issues/101675

The roave/security-advisories package works correctly and perfectly well, as it reports known vulnerabilities. 👍

TYPO3 offers free community support for three years - this is known and announced with the initial release of each major version, including the exact day when a particular version will become EOL. For those that were not able to update, the TYPO3-ELTS program continues the security support for additional three years, this is a paid service. (find details at https://typo3.org/cms/roadmap, https://typo3.com/services/extended-support-elts)

The TYPO3 Security Team issues CVEs which includes those EOL versions as well - those vulnerabilities are real!

Since the reporter wants to use outdated software with known vulnerabilities - on purpose - I (on behalf of the TYPO3 Security Team) suggested to uninstall the roave/security-advisories package.

All relevant details have been mentioned, and we are done with this topic.

[Ocramius]

Excellent clarification: indeed, if it's EOL for the "use for free" public, then that's how it is.

Locking: the last response by @ohader gives all needed context.