Incorrect conflict line allows installations of insecure Drupal core versions

I noticed today that I am able to install known-insecure versions of Drupal. Here's the basic composer.json:

{
    "require": {
        "drupal-composer/drupal-security-advisories": "8.x-dev",
        "drupal/core": "8.8.3"
    }
}

And here's the steps that created that file and installed 8.8.3:

$ composer require drupal-composer/drupal-security-advisories:8.x-dev
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing drupal-composer/drupal-security-advisories (8.x-dev 413d689)
Writing lock file
Generating autoload files
$ composer require drupal/core:8.8.3
    1/2:    http://repo.packagist.org/p/provider-latest$d5afd90b02bfbb6d8156c98fadffd5a4b6dcad75f12e2ae09a0f3dd542122f0b.json
    2/2:    http://repo.packagist.org/p/provider-2020-01$f68a8a70594e85cc5d3310b12ad04413d62ea226078a785ee9727918e5c444f2.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
    1/1:    https://codeload.github.com/drupal/core/legacy.zip/77971de6d6ade7366cdd3fadfc16c5d02e531446
    Finished: success: 1, skipped: 0, failure: 0, total: 1
Package operations: 57 installs, 0 updates, 0 removals
  - Installing pear/pear_exception (v1.0.1): Loading from cache
  - Installing pear/console_getopt (v1.4.3): Loading from cache
  - Installing pear/pear-core-minimal (v1.10.10): Loading from cache
  - Installing pear/archive_tar (1.4.9): Loading from cache
  - Installing psr/log (1.1.3): Loading from cache
  - Installing symfony/polyfill-ctype (v1.17.0): Loading from cache
  - Installing symfony/polyfill-mbstring (v1.17.0): Loading from cache
  - Installing symfony/polyfill-php72 (v1.17.0): Loading from cache
  - Installing symfony/polyfill-intl-idn (v1.17.0): Loading from cache
  - Installing symfony/debug (v4.4.8): Loading from cache
  - Installing psr/container (1.0.0): Loading from cache
  - Installing symfony/polyfill-util (v1.17.0): Loading from cache
  - Installing symfony/polyfill-php56 (v1.17.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing symfony/polyfill-php70 (v1.17.0): Loading from cache
  - Installing symfony/http-foundation (v3.4.40): Loading from cache
  - Installing symfony/event-dispatcher (v3.4.40): Loading from cache
  - Installing symfony/http-kernel (v3.4.40): Loading from cache
  - Installing asm89/stack-cors (1.3.0): Loading from cache
  - Installing composer/semver (1.5.1): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing zendframework/zend-diactoros (1.8.7): Loading from cache
  - Installing symfony/psr-http-message-bridge (v1.2.0): Loading from cache
  - Installing masterminds/html5 (2.7.0): Loading from cache
  - Installing doctrine/lexer (1.2.0): Loading from cache
  - Installing egulias/email-validator (2.1.17): Loading from cache
  - Installing stack/builder (v1.0.6): Loading from cache
  - Installing zendframework/zend-stdlib (3.2.1): Loading from cache
  - Installing zendframework/zend-escaper (2.6.1): Loading from cache
  - Installing zendframework/zend-feed (2.12.0): Loading from cache
  - Installing easyrdf/easyrdf (0.9.1): Loading from cache
  - Installing symfony/routing (v3.4.40): Loading from cache
  - Installing symfony-cmf/routing (1.4.1): Loading from cache
  - Installing ralouphie/getallheaders (3.0.3): Loading from cache
  - Installing guzzlehttp/psr7 (1.6.1): Loading from cache
  - Installing guzzlehttp/promises (v1.3.1): Loading from cache
  - Installing guzzlehttp/guzzle (6.5.3): Loading from cache
  - Installing doctrine/annotations (1.10.2): Loading from cache
  - Installing doctrine/reflection (1.2.1): Loading from cache
  - Installing doctrine/event-manager (1.1.0): Loading from cache
  - Installing doctrine/collections (1.6.4): Loading from cache
  - Installing doctrine/cache (1.10.0): Loading from cache
  - Installing doctrine/persistence (1.3.7): Loading from cache
  - Installing doctrine/inflector (1.4.1): Loading from cache
  - Installing doctrine/common (2.13.0): Loading from cache
  - Installing twig/twig (v1.42.5): Loading from cache
  - Installing typo3/phar-stream-wrapper (v3.1.4): Loading from cache
  - Installing symfony/yaml (v3.4.40): Loading from cache
  - Installing symfony/polyfill-iconv (v1.17.0): Loading from cache
  - Installing symfony/process (v3.4.40): Loading from cache
  - Installing symfony/translation (v3.4.40): Loading from cache
  - Installing symfony/validator (v3.4.40): Loading from cache
  - Installing symfony/serializer (v3.4.40): Loading from cache
  - Installing symfony/dependency-injection (v3.4.40): Loading from cache
  - Installing symfony/console (v3.4.40): Loading from cache
  - Installing symfony/class-loader (v3.4.40): Loading from cache
  - Installing drupal/core (8.8.3): Loading from cache
pear/archive_tar suggests installing ext-xz (Lzma2 compression support.)
paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.)
symfony/http-kernel suggests installing symfony/browser-kit
symfony/http-kernel suggests installing symfony/config
symfony/http-kernel suggests installing symfony/finder
symfony/http-kernel suggests installing symfony/var-dumper
symfony/psr-http-message-bridge suggests installing nyholm/psr7 (For a super lightweight PSR-7/17 implementation)
zendframework/zend-feed suggests installing zendframework/zend-cache (Zend\Cache component, for optionally caching feeds between requests)
zendframework/zend-feed suggests installing zendframework/zend-db (Zend\Db component, for use with PubSubHubbub)
zendframework/zend-feed suggests installing zendframework/zend-http (Zend\Http for PubSubHubbub, and optionally for use with Zend\Feed\Reader)
zendframework/zend-feed suggests installing zendframework/zend-servicemanager (Zend\ServiceManager component, for easily extending ExtensionManager implementations)
zendframework/zend-feed suggests installing zendframework/zend-validator (Zend\Validator component, for validating email addresses used in Atom feeds and entries when using the Writer subcomponent)
easyrdf/easyrdf suggests installing ml/json-ld (~1.0)
symfony/routing suggests installing symfony/config (For using the all-in-one router or any loader)
symfony/routing suggests installing symfony/expression-language (For using expression matching)
guzzlehttp/psr7 suggests installing zendframework/zend-httphandlerrunner (Emit PSR-7 responses)
doctrine/cache suggests installing alcaeus/mongo-php-adapter (Required to use legacy MongoDB driver)
symfony/translation suggests installing symfony/config
symfony/validator suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/validator suggests installing symfony/intl
symfony/validator suggests installing symfony/config
symfony/validator suggests installing symfony/property-access (For accessing properties within comparison constraints)
symfony/validator suggests installing symfony/expression-language (For using the Expression validator)
symfony/serializer suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/serializer suggests installing symfony/property-info (To deserialize relations.)
symfony/serializer suggests installing symfony/config (For using the XML mapping loader.)
symfony/serializer suggests installing symfony/property-access (For using the ObjectNormalizer.)
symfony/dependency-injection suggests installing symfony/config
symfony/dependency-injection suggests installing symfony/finder (For using double-star glob patterns or when GLOB_BRACE portability is required)
symfony/dependency-injection suggests installing symfony/expression-language (For using expressions in service container configuration)
symfony/dependency-injection suggests installing symfony/proxy-manager-bridge (Generate service proxies to lazy load them)
symfony/console suggests installing symfony/lock
symfony/class-loader suggests installing symfony/polyfill-apcu (For using ApcClassLoader on HHVM)
Package zendframework/zend-diactoros is abandoned, you should avoid using it. Use laminas/laminas-diactoros instead.
Package zendframework/zend-stdlib is abandoned, you should avoid using it. Use laminas/laminas-stdlib instead.
Package zendframework/zend-escaper is abandoned, you should avoid using it. Use laminas/laminas-escaper instead.
Package zendframework/zend-feed is abandoned, you should avoid using it. Use laminas/laminas-feed instead.
Writing lock file
Generating autoload files
24 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

The conflict line in composer.lock currently is:

                "drupal/core": "<8.0.0-beta2,<8.0.4,<8.1.3,<8.1.7,<8.1.10,<8.2.3,<8.2.7,<8.2.8,<8.3.1,<8.3.4,<8.3.7,<8.3.9,<8.4.6,<8.4.7,<8.4.8,<8.5.1,<8.5.2,<8.5.3,<8.5.6,<8.5.8,<8.5.9,<8.5.11,<8.5.14,<8.5.15,<8.6.2,<8.6.6,<8.6.10,<8.6.13,<8.6.15,<8.6.16,<8.7.0-rc1,<8.7.1,<8.7.5,<8.7.11,<8.7.12,<8.7.14,<8.8.1,<8.8.4,<8.8.6",

It looks like the problem occurs as soon as there is a constraint that is less than the selected version.

  "conflict": {
    "drupal/core": "<8.8.3,<8.8.4,<8.8.6"
  },

Allows 8.8.3, while:

  "conflict": {
    "drupal/core": "<8.8.4,<8.8.6"
  },

does not.

Luckily drush pm:security does pick up the SA, so I imagine most Drupal users are not unknowingly running insecure versions.

I think the problem is the use of a straight and in conflict, as noted in the composer docs. I get the correct behaviour with:

"drupal/core": "<8.7.14 || >8.8.0 <8.8.6"

which allows 8.7.14 and 8.8.6, but nothing else.

drupal-composer / drupal-security-advisories

Incorrect conflict line allows installations of insecure Drupal core versions #21