Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 105 forks source link

Something weird is happening in regards of version constraints #128

Open SCIF opened 8 months ago

SCIF commented 8 months ago

Here is one of the latest commits: https://github.com/Roave/SecurityAdvisories/commit/3c621b023ec96ba669e5510067b5d4fe4a1f51e0

  1. The latest CVE is https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml which has a constraint <2.0.4.

  2. The message has a link to PR has nothing to do with dompdf.

Any idea?

Ocramius commented 8 months ago

See:

SCIF commented 8 months ago

I found next security issue but it seems like dompdf is not actually the source of the problem as they have a wide constraint allowing but not forcing the usage of affected version of phenx/php-svg-lib. Does it mean GH advisory report has mentioned dompdf incorrect so your package reflected this wrong decision as well?

Ocramius commented 8 months ago

Sounds like it: I would bring it up there then, as this package only follows.