Closed hugovk closed 5 years ago
By the way, is there a reason all the versions are listed?
"drupal/core": "<8.0.0-beta2,<8.0.4,<8.1.3,<8.1.7,<8.1.10,<8.2.3,<8.2.7,<8.2.8,<8.3.1,<8.3.4,<8.3.7,<8.3.9,<8.4.6,<8.4.7,<8.4.8,<8.5.1,<8.5.2,<8.5.3,<8.5.6,<8.5.8,<8.5.9,<8.5.11,<8.6.2,<8.6.6,<8.6.10",
Would something like this be simpler?
"drupal/core": "<8.6.10",
Or if both major.minor are needed?
"drupal/core": "<8.0.0-beta2,<8.0.4,<8.1.10,<8.2.8,<8.3.9,<8.4.8,<8.5.11,8.6.10",
Turns out this is a bug in Drush, fixed in https://github.com/drush-ops/drush/pull/3766 but not yet released.
I'll leave this open, in case you wish to work around it.
The bug has been fixed and is included in the Drush 9.6.2 release.
When Drupal Core is installed via Acquia's BLT, it depends on
webflo/drupal-core-require-dev
rather thandrupal/core
.Subsequently, commands such as
drush pm:security
don't finddrupal/core
incomposer.lock
.It does find
webflo/drupal-core-require-dev
, but that isn't found in https://raw.githubusercontent.com/drupal-composer/drupal-security-advisories/8.x/composer.json.Therefore
drush pm:security
incorrectly reports:This PR adds
webflo/drupal-core-require-dev
, mirroring the version numbers ofdrupal/core
.The same versioning is used:
https://github.com/webflo/drupal-core-require-dev