search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.7k stars 105 forks source link

Manual trigger of security check not working #80

Closed GitRon closed 3 years ago

GitRon commented 3 years ago

Hi there

when I try to run the command as documented, I get a lot of errors but no security check. What am I doing wrong?

$ composer require --dev roave/security-advisories:dev-latest
./composer.json has been updated
Running composer update roave/security-advisories
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
  Problem 1
    - tymon/jwt-auth is locked to version 1.0.2 and an update of this package was not requested.
    - tymon/jwt-auth 1.0.2 requires php ^5.5.9|^7.0 -> your php version (8.0.9) does not satisfy that requirement.
  Problem 2
    - supliu/laravel-query-monitor is locked to version 1.0.2 and an update of this package was not requested.
    - supliu/laravel-query-monitor 1.0.2 requires php ^7.3 -> your php version (8.0.9) does not satisfy that requirement.
  Problem 3
    - laravel/framework is locked to version v8.25.0 and an update of this package was not requested.
    - roave/security-advisories dev-latest conflicts with illuminate/database <6.20.26|>=7,<8.40 (laravel/framework v8.25.0 replaces illuminate/database self.version).
    - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
Installation failed, reverting ./composer.json and ./composer.lock to their original content.

Thx Ronny

GitRon commented 3 years ago

Ok, problem is another one. Sorry.

GitRon commented 3 years ago

The solution was partly using the --ignore-platform-reqs flag in the pipeline.

Ocramius commented 3 years ago

@GitRon --ignore-platform-reqs should not be used: roave/security-advisories is telling you that your laravel/framework version requires an urgent update, and this update may need upgrading also some other dependencies.

GitRon commented 3 years ago

@Ocramius As far as I understand there is a dependency conflict because we have >8 and this packages uses <7 version of laravel?

Ocramius commented 3 years ago

The conflict occurs because you are running PHP 8, and your locked packages require PHP 7.x or older.

If you are running this locally, remember that you should probably run the same version of PHP that you also use in production.

GitRon commented 3 years ago

Oh, I just extended from the composer:2 docker image, thanks for the hint!

GitRon commented 3 years ago

OK, composer always comes with the latest php version. But I only use the image for linting and security checks, I think it's an ok workaround.

Didnt work with this package, though. Switched to another one 😔