search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.7k stars 105 forks source link

Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

Closed ohader closed 7 months ago

ohader commented 7 months ago

Description

The package typo3/cms-saltedpasswords <0.2.13 suddenly is marked as insecure and blocks the installation the typo3/cms-core package (due to having a replaces declaration for typo3/cms-saltedpasswords: * in typo3/cms-core).

Observation

A bunch of changes were committed recently to roave/security-advisories - where the conflict declaration does not match with the actual original commit in sensiolabs/security-advisories, for instance:

CLI commands used to reproduce the behavior

composer req --dev roave/security-advisories:dev-latest

./composer.json has been created
Running composer update roave/security-advisories
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking roave/security-advisories (dev-latest b5487e1)
[...]
composer req typo3/cms-core:^12.4

./composer.json has been updated
Running composer update typo3/cms-core
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.7.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.6.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.5.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.3.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.2.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.1.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.0.
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.10 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.9 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.8 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
    - Root composer.json requires typo3/cms-core ^12.4 -> satisfiable by typo3/cms-core[v12.4.0, ..., v12.4.10].
Ocramius commented 7 months ago

See:

This repo only tracks the advisories: check https://github.com/advisories for the latest updates.

Ocramius commented 7 months ago

typo3/cms-core should not replace with a deathstar range there: self.version or something more precise should be used to avoid affected version ranges.

ohader commented 7 months ago

For the records: A recent change at GitHub "hallucinated" a Composer package, which caused this behavior (side-note: the original advisory was from 2010, Composer was established in 2012 - two years later). → GitHub advisory change: https://github.com/github/advisory-database/commit/b403b051308beeee5bfe57a59103735a2170eb36