Closed jboulen closed 1 year ago
Thanks for the info. Makes sense but currently the package is owned by someone else....
Do you mean that the jfristschi account referenced as maintainer on jasig/phpcas package is not yours ? I can try to contact someone at packgist.org if you agree.
The account jfritschi is mine. But the apereo/phpcas package that you propose as future package is owned by someone else...
Oh, I thought that apereo/phpcas package was owned by someone from apereo...
I see the user with the same profile picture is on GitHub as @wuwx. We might need to do a more official outreach but looks like at least one of the maintainers here needs to have admin access of that packagist package to proceed.
Since https://github.com/apereo/phpCAS/commit/c98aa746c468104ec6a8b3ca9a6ed32fdda635fd there is a some security risk for projects using phpCAS via composer :
Private PackagistWhat happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and
GitHubPackage Repository Website - try https://packagist.com if you need your own - - Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist
I have sent a message to packagist and hope they can simply transfer ownership of the package to me....
I have gained ownership and have now marked jasig/phpcas as abandoned and pointed to apereo/phpcas.
Great! Thank you @jfritschi!
I confirm that it works as expected:
$ composer update jasig/phpcas
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
**Package jasig/phpcas is abandoned, you should avoid using it. Use apereo/phpcas instead.**
Generating autoload files
So I can close my issue. :)
When a project uses the jasig/phpcas package instead of the apereo/phpcas package, dependabot on github is unable to report the security alerts. So maybe the jasig/phpcas package should have "abandoned" status to motivate developers to migrate to the apereo/phpcas package?
There is also a lack of information on packagist.org. Only apereo/phpcas package announces security alerts : https://packagist.org/packages/apereo/phpcas https://packagist.org/packages/jasig/phpcas