search

bolt / project

🚀 Repo to `composer create project` a Bolt 5 project.
MIT License
39 stars 38 forks source link

composer/composer requirement should be higher version #101

Closed garrettboone closed 2 years ago

garrettboone commented 2 years ago

FYI: https://packagist.org/packages/composer/composer/advisories?version=5517140 v2.1.8 and lower have vuln

I was able to locally modify composer.json with:

    "require": {
        "composer/composer": "^2.1.9",
        "composer/xdebug-handler": "^2.0",
        "php": ">=7.2.9 || ^8.0"...etc

After composer update -W there were no composer conflicts.

bobdenotter commented 2 years ago

Yes,it makes sense to lock this down on a higher version in composer.json.. Would you like to make a small PR for both bolt/project and bolt/core to do so?

garrettboone commented 2 years ago

Yes I would, I can do later today and will double check for conflicts again.

garrettboone commented 2 years ago

@bobdenotter You know, maybe it's not a big deal after all. I just reinstalled the project from scratch and no vulnerabilities are showing. I also checked again on composer/composer and see version 2.1.9, 10 and 11 are all just in the past couple of months - which is after I previously installed bolt. Version 2.1.11 is showing after fresh install so I think we're good. Sorry for the false alarm, I will close this.