search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.7k stars 105 forks source link

Installation problem with "dompdf/dompdf" package #125

Closed sivaramkjs closed 9 months ago

sivaramkjs commented 9 months ago

Hi folks,

We are seeing the below error while trying to install dompdf/dompdf package.

Problem 1

  • dompdf/dompdf is locked to version v2.0.3 and an update of this package was not requested.
  • roave/security-advisories dev-latest conflicts with dompdf/dompdf <2.0.4.
  • Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

composer.json:

"dompdf/dompdf": "^2.0"

We found that the all versions <2.0.4 having a vulnerability as per this: https://github.com/advisories/GHSA-3qx2-6f78-w2j2. But we don't know how to work around this conflict until it's updated in the below file. Could someone please advise on how to proceed in this case? Thank you! https://github.com/Roave/SecurityAdvisories/blob/ccb29669f00f1c5637c79c8e10efd10199696c65/composer.json#L132

Ocramius commented 9 months ago

@sivaramkjs you are supposed to upgrade to at least 2.0.4

sivaramkjs commented 9 months ago

@Ocramius Thank you for such a quick response. But as I mentioned, we are already trying to upgrade it to >=2.0.4 as it's the latest version of the package based on our current version spec in the composer.json.

"dompdf/dompdf": "^2.0"

Ocramius commented 9 months ago

On https://packagist.org/packages/dompdf/dompdf, 2.0.4 is available.

The error above mentions that you are "locked" on 2.0.3

sivaramkjs commented 9 months ago

Thank you for the pointer. We just realized (out bad 😞) that it was still locked to the version 2.0.3 in the composer.lock file. The issue was gone after running composer update explicitly to to update the lock file. Nevertheless, thank you very much for your quick help!