Fix snipe/snipe-it major version constraints

[joelpittet]

Looks to be auto-generated in this commit 3bbc1ff6ef5ac9e765a1e4b8464a7ab97e656820

Fixes Original commit: "FriendsOfPHP/security-advisories@017f334"

Fixes https://github.com/snipe/snipe-it/issues/10932

[Ocramius]

Hey @joelpittet! Changing it here will have no effect: it will be reverted once automation re-generates composer.json

Related: https://github.com/Roave/SecurityAdvisoriesBuilder/issues/451 Related: https://github.com/Roave/SecurityAdvisoriesBuilder/pull/459

I suggest finding out the source of this advisory - potentially wrong published data on the Github advisory DB?

See https://github.com/github/advisory-database

I'd say https://github.com/advisories/GHSA-636j-7x7r-gvw2 excludes everything below <= 6.0.0-RC5

[Ocramius]

Closing here: the issue is to be solved at the advisory source.

[joelpittet]

Thanks @Ocramius I'll dig up!

[joelpittet]

@Ocramius It's fixed, thanks for the pointer!

https://github.com/Roave/SecurityAdvisories/blob/370b357e26aeed8d2b450026954eda969b2db0dc/composer.json#L317

One question that you may know, it's a bit of a nitpik but the format of the generated constraint has a space between the operator and value, where most the other constraints don't have that space AND the formatting at https://github.com/advisories/GHSA-636j-7x7r-gvw2 didn't allow me to remove the space!

"snipe/snipe-it": "<5.4.2|>= 6.0.0-RC-1, <= 6.0.0-RC-5", vs "snipe/snipe-it": "<5.4.2|>=6.0.0-RC-1,<=6.0.0-RC-5",

My question is why is the format different, are they manually created in the other cases, or a different source?

[Ocramius]

That is a good question for which I don't have an answer: seems like a bug, potentially SecurityAdvisoriesBuilder not considering whitespace in its regexes, and therefore losing some context around this.

This may become more visible if/when there is a new security advisory on this package, and we observe wonky range merging there.

Until then, I suggest ignoring it.