Installation problem with "dompdf/dompdf" package

[sivaramkjs]

Hi folks,

We are seeing the below error while trying to install dompdf/dompdf package.

Problem 1

• dompdf/dompdf is locked to version v2.0.4 and an update of this package was not requested.
• roave/security-advisories dev-latest conflicts with dompdf/dompdf <=2.0.4.
• Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

composer.json:

"dompdf/dompdf": "^2.0"

We found that all versions <=2.0.4 having a vulnerability as per this: https://github.com/advisories/GHSA-97m3-52wr-xvv2. Additionally, we couldn't see a new dompdf/dompdf version beyond v2.0.4. Could someone please advise on how to proceed in this case? Do we need to wait until the new package version is released? Thank you!

Further references:

• https://github.com/Roave/SecurityAdvisories/commit/3c621b023ec96ba669e5510067b5d4fe4a1f51e0
• Seems like this is also related to: https://github.com/Roave/SecurityAdvisories/issues/128

[Ocramius]

This needs to be discussed on the upstream advisory: this library only replicates what is done there.

What you can do locally is "require": {"dompdf/dompdf": "2.0.4 as 2.0.5"} as a temporary workaround.

[sivaramkjs]

This needs to be discussed on the upstream advisory: this library only replicates what is done there.

What you can do locally is "require": {"dompdf/dompdf": "2.0.4 as 2.0.5"} as a temporary workaround.

Hi Marco. Thank you for such a quick response. I tried the suggested workaround but still getting the same error despite having this block in the composer.lock file with the workaround.

"aliases": [
        {
            "package": "dompdf/dompdf",
            "version": "2.0.4.0",
            "alias": "2.0.5",
            "alias_normalized": "2.0.5.0"
        }
    ],

Problem 1
--
  | - dompdf/dompdf is locked to version v2.0.4 and an update of this package was not requested.
  | - roave/security-advisories dev-latest conflicts with dompdf/dompdf <=2.0.4.
  | - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

[Ocramius]

SecurityAdvisories/demo-issue-129 on  latest [?] via 🐘 v8.2.15 via ❄️  impure (nix-shell) 
❯ echo '{"require": {"dompdf/dompdf": "2.0.4 as 2.0.4"}, "require-dev": {"roave/security-advisories": "dev-latest"}}' > composer.json

SecurityAdvisories/demo-issue-129 on  latest [?] via 🐘 v8.2.15 via ❄️  impure (nix-shell) 
❯ composer update --dry-run
Loading composer repositories with package information
Updating dependencies
Lock file operations: 6 installs, 0 updates, 0 removals
  - Locking dompdf/dompdf (v2.0.4)
  - Locking masterminds/html5 (2.8.1)
  - Locking phenx/php-font-lib (0.5.6)
  - Locking phenx/php-svg-lib (0.5.2)
  - Locking roave/security-advisories (dev-latest aafb723)
  - Locking sabberworm/php-css-parser (v8.5.1)
Installing dependencies from lock file (including require-dev)
Package operations: 6 installs, 0 updates, 0 removals
  - Installing sabberworm/php-css-parser (v8.5.1)
  - Installing phenx/php-svg-lib (0.5.2)
  - Installing phenx/php-font-lib (0.5.6)
  - Installing masterminds/html5 (2.8.1)
  - Installing dompdf/dompdf (v2.0.4)
  - Installing roave/security-advisories (dev-latest aafb723)
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
No installed packages - skipping audit.

I think you provided a composer update command with too little scope (perhaps specified some packages as arguments)

[sivaramkjs]

Yes, we need to run update only for the dompdf package since we currently have many other packages in the composer.json file for which we don't want to run the update to minimize the version changes at once. However, the error is not appearing anymore (at least for now) most probably due to this revert change: https://github.com/Roave/SecurityAdvisories/commit/aafb7236bf0c11b93b24e951544bd83470b85bec