search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

Conflict with typo3-cms #78

Closed Bonnography closed 3 years ago

Bonnography commented 3 years ago

typo3/cms-core v10.4.19 conflicts with roave/security-advisories dev-latest.

I can't update my TYPO3 since the new security releases are online.

Is this a bug from roave or TYPO3?

lloricode commented 3 years ago

check this, in latest branch

https://github.com/Roave/SecurityAdvisories/blob/6da216d969efa7e52cc7d0af125b8c8bb9caed25/composer.json#L297

it has >=10,<10.4.19, meaning v10.4.19 is not compatible or has security issue

Ocramius commented 3 years ago

See also: https://github.com/FriendsOfPHP/security-advisories/commit/7bf2c0b3a2e76173691d1cdadab9f5c53f2d110b

Ocramius commented 3 years ago

it has >=10,<10.4.19, meaning v10.4.19 is not compatible or has security issue

No, this means that 10.4.18 and earlier are not compatible. 10.4.19 should be compatible, according to that range selector.

froschdesign commented 3 years ago

@Ocramius

10.4.19 should be compatible, according to that range selector.

But it does not work:

Your requirements could not be resolved to an installable set of packages.
 
   Problem 1
     - Conclusion: don't install typo3/cms-core v10.4.19
     - Conclusion: don't install typo3/cms-core v10.4.18
     - Conclusion: remove typo3/cms-core v10.4.17
     - typo3/cms-core v10.4.17 conflicts with roave/security-advisories[dev-latest].
     - typo3/cms-core v10.4.17 conflicts with roave/security-advisories[dev-latest].
     - Installation request for typo3/cms-core ^v10.4.17 -> satisfiable by typo3/cms-core[v10.4.17, v10.4.18, v10.4.19].
     - Installation request for roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
Ocramius commented 3 years ago

Do you have a full composer.json perhaps? It should be installable, but perhaps it's not because of some other lock?

Try composer why-not typo3/cms-core:10.4.19

froschdesign commented 3 years ago

Try composer why-not typo3/cms-core:10.4.19

typo3/cms-about                 v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-backend               v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-belog                 v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-beuser                v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-dashboard             v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-extbase               v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-extensionmanager      v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-felogin               v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-filelist              v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-fluid                 v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-fluid-styled-content  v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-form                  v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-frontend              v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-impexp                v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-info                  v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-install               v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-linkvalidator         v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-lowlevel              v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-recordlist            v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-rte-ckeditor          v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-scheduler             v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-seo                   v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-setup                 v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-sys-note              v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-t3editor              v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-tstemplate            v10.4.17  requires  typo3/cms-core (10.4.17)  
typo3/cms-viewpage              v10.4.17  requires  typo3/cms-core (10.4.17)
froschdesign commented 3 years ago

In another test (local environment) I removed roave/security-advisories and the update to version 10.4.19 works. After the update, I tried to add the security package:

Your requirements could not be resolved to an installable set of packages.
 
   Problem 1
     - roave/security-advisories dev-latest conflicts with typo3/cms-core[v10.4.19].
     - roave/security-advisories dev-latest conflicts with typo3/cms-core[v10.4.19].
     - Installation request for roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
     - Installation request for typo3/cms-core ^v10.4.19 -> satisfiable by typo3/cms-core[v10.4.19].
Ocramius commented 3 years ago

This is weird, because I can't find a conflict with 10.4.19 🤔

Do we have an example composer.json for reproducing this?

lloricode commented 3 years ago

it has >=10,<10.4.19, meaning v10.4.19 is not compatible or has security issue

No, this means that 10.4.18 and earlier are not compatible. 10.4.19 should be compatible, according to that range selector.

my bad, I forgot this is conflict, yes you right this must be work

lloricode commented 3 years ago

maybe try to run composer update, maybe outdated on your project

froschdesign commented 3 years ago

The problem can be tested with this composer.json:

{
    "require": {
        "typo3/cms-core": "^v10.4.19"
    },
    "require-dev": {
        "roave/security-advisories": "dev-latest"
    }
}

Result of composer update:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for typo3/cms-core ^v10.4.19 -> satisfiable by typo3/cms-core[v10.4.19].
    - roave/security-advisories dev-latest conflicts with typo3/cms-core[v10.4.19].
    - Installation request for roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
Ocramius commented 3 years ago

I get slightly different results, potentially indicating an issue with composer caching:

SecurityAdvisories/test-issue-78 on  latest [?] via 🐘 
❯ cat composer.json 
{
    "require": {
        "typo3/cms-core": "^v10.4.19"
    },
    "require-dev": {
        "roave/security-advisories": "dev-latest"
    }
}
SecurityAdvisories/test-issue-78 on  latest [?] via 🐘 took 2s 
❯ docker run -v $(pwd):/app composer:2 composer update --dry-run --ignore-platform-reqs
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires typo3/cms-core ^v10.4.19 -> satisfiable by typo3/cms-core[v10.4.19].
    - roave/security-advisories dev-latest conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *).
    - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

So the issue seems to be that typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer * represents all versions of t3g/svg-sanitizer, and therefore is affected by the security issues in t3g/svg-sanitizer <1.0.3

froschdesign commented 3 years ago

No more problems with version 10.4.20 of TYPO3.