Open deviantintegral opened 4 years ago
I'm experiencing the same issue with Drupal core 8.8.5. I only got a conflict when I installed https://github.com/Roave/SecurityAdvisories where the rule is
"drupal/core": ">=7,<7.70|>=8,<8.7.14|>=8.8,<8.8.6",
I think this is because drush pm:security
is using the v2
branch (see #11)
There's one open PR fixing a bug for 7.x core restraints on the v2
branch (#19), but otherwise I'm not sure what's holding up merging v2 to the main branch?
I noticed today that I am able to install known-insecure versions of Drupal. Here's the basic
composer.json
:And here's the steps that created that file and installed 8.8.3:
The conflict line in
composer.lock
currently is:It looks like the problem occurs as soon as there is a constraint that is less than the selected version.
Allows 8.8.3, while:
does not.
Luckily
drush pm:security
does pick up the SA, so I imagine most Drupal users are not unknowingly running insecure versions.I think the problem is the use of a straight
and
in conflict, as noted in the composer docs. I get the correct behaviour with:"drupal/core": "<8.7.14 || >8.8.0 <8.8.6"
which allows 8.7.14 and 8.8.6, but nothing else.