swiftmailer requirement

[m-vo]

Why do we need to require swiftmailer/swiftmailer (along with symfony/swiftmailer-bundle)? (https://github.com/contao/standard-edition/blob/master/composer.json#L29)

I don't see this in the managed edition? Is there something behind it?

[leofeyer]

Because we want to make sure that we get at least version 5.4.5 of swiftmailer/swiftmailer. There has been a major security issue in version < 5.4.5.

[m-vo]

Got it. So should this be the same in the manager-bundle, then?

https://github.com/contao/manager-bundle/blob/develop/composer.json#L16

[leofeyer]

No, it is already in the core bundle: https://github.com/contao/core-bundle/blob/master/composer.json#L41

[m-vo]

I don't want to poke around on this, just to get a better understanding of the whole thing :wink:: If for some reason the requirement of a version > 5.4.5 can not be fulfilled, wouldn't this just install an old version of the standard-edition (4.3.1) then? I think that's the reason why the requirement was not raised in the symfony bundle.

see https://github.com/symfony/swiftmailer-bundle/issues/156

[leofeyer]

No, it would exit saying "your requirements could not be resolved to an installable set of packages".

[aschempp]

It would actually install an older version of the core bundle if that resolves the conflict…

[ausi]

Because we want to make sure that we get at least version 5.4.5 of swiftmailer/swiftmailer.

Couldn’t this also be done by adding a conflict for "swiftmailer/swiftmailer":"<5.4.5"?

[leofeyer]

Probably yes, I'll try it.

[m-vo]

That's exactly how e.g. https://github.com/Roave/SecurityAdvisories works. Maybe it does make sense to use such solution in general. I wonder if this would increase the complexity to calculate dependencies, though.

[leofeyer]

Changed in contao/core-bundle@4048d8b2125b5e5ccab7b6b7380b3c1cd7c2da17.