Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

composer diagnose baulks at pulling from dev-master #39

Closed bitwombat closed 7 years ago

bitwombat commented 7 years ago

I like to run composer diagnose as one of many CD health/settings checks.

It's currently all clear except for roave/security-advisories:

Checking composer.json: WARNING
require.roave/security-advisories : unbound version constraints (dev-master) should be avoided
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815B42 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC4D767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK

I'm guessing this is intentional so that we always have the latest advisories without the maintainers having to do continuous releases. However, this check erroring out stops my CD process (as it should).

Any ideas of a fix/workaround?

Ocramius commented 7 years ago

There is no fix: this package can only be used unbound.

On 26 Oct 2017 03:46, "Bit Wombat" notifications@github.com wrote:

I like to run composer diagnose as one of many CD health/settings checks.

It's currently all clear except for roave/security-advisories:

Checking composer.json: WARNING require.roave/security-advisories : unbound version constraints (dev-master) should be avoided Checking platform settings: OK Checking git settings: OK Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com rate limit: OK Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: 57815B42 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642 Dev Public Key Fingerprint: 4AC4D767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952 OK

I'm guessing this is intentional so that we always have the latest advisories without the maintainers having to do continuous releases. However, this check erroring out stops my CD process (as it should).

Any ideas of a fix/workaround?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Roave/SecurityAdvisories/issues/39, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakP5mYNyhSnOs8M0OdACduafmiQo8ks5sv-SSgaJpZM4QG5UW .

stof commented 7 years ago

Continuous releases would simply not work for this package: Composer would then happily use an older release of the advisory package to be able to use another library (and then use a vulnerable version)

Ocramius commented 7 years ago

Closing as per clarifications above. @bitwombat please do ask if you have further doubts.

Please also see https://github.com/kalessil/phpinspectionsea/issues/615