search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

How to integrate into existing project? #52

Closed havvg closed 5 years ago

havvg commented 5 years ago

I'm on an old project and would like to add this tool. However, I'm getting this result:

$ composer require --dev roave/security-advisories:dev-master
    1/2:    http://packagist.org/p/provider-latest$272b2375b59d963722fae33cda2f21391d74cabff9314e72be645ef506ffb148.json
    2/2:    http://packagist.org/p/provider-2018-10$e848d0ea86ecaa3b0f19d91a3e0c77a2ace231a51e677fdfbe6425d20a82ece2.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for … -> satisfiable by ….
    - roave/security-advisories dev-master conflicts with ….
    - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Installation failed, reverting ./composer.json to its original content.

The composer why-not is not helpful either.

$ composer why-not --recursive roave/security-advisories dev-master

  [InvalidArgumentException]
  Could not find package "roave/security-advisories" in your project

prohibits [-r|--recursive] [-t|--tree] [--] <package> [<constraint>]

Is there any known way to handle this situation? I mean something more useful and precise other than "just update everything".

Ocramius commented 5 years ago

roave/security-advisories dev-master conflicts with ….

What's ...?

havvg commented 5 years ago

That's the root project itself, sorry for missing to explain.

Ocramius commented 5 years ago

Hmm, I'd suggest a separate approach: composer require <package/> is often buggy due to it trying to restrict updates to just what the newly introduced package requires.

Try instead adding "roave/security-advisories": "dev-master" in your composer.json, under "require-dev", manually. Then run a `composer update: that should be more useful.

havvg commented 5 years ago

Tried it, same result — as with update --lock.

Only way I can think of now is to reverse the process with an empty project adding the dependencies step by step.

Ocramius commented 5 years ago

Hmm, I don't know how to help further with that - would try asking in composer/composer, or maybe pasting your "require" and "require-dev" sections in here.

xabbuh commented 5 years ago

Do you have a replace section where you declare to replace some package without a real version constraint (i.e. using *)?

havvg commented 5 years ago

Yes, I do:

    "replace": {
        "paragonie/random_compat": "*",
        "symfony/polyfill-apcu": "*",
        "symfony/polyfill-ctype": "*",
        "symfony/polyfill-intl-icu": "*",
        "symfony/polyfill-mbstring": "*",
        "symfony/polyfill-php56": "*",
        "symfony/polyfill-php70": "*",
        "symfony/polyfill-php71": "*"
    }
xabbuh commented 5 years ago

There have been security fixes for some of these packages. A possible solution is to be more precise and specify a high enough version number like this:

"replace": {
    "paragonie/random_compat": "2.99",
    "symfony/polyfill-apcu": "1.99",
    "symfony/polyfill-ctype": "1.99",
    "symfony/polyfill-intl-icu": "1.99",
    "symfony/polyfill-mbstring": "1.99",
    "symfony/polyfill-php56": "1.99",
    "symfony/polyfill-php70": "1.99",
    "symfony/polyfill-php71": "1.99"
}
havvg commented 5 years ago

This works, indeed. I changed this one line, and the installation runs just fine. "paragonie/random_compat": "^9.99",. Thank you for this hint!