matthandus
commented
3 weeks ago @webflo Are you able to confirm this issue? Thank you!
Open matthandus opened 3 weeks ago
matthandus
commented
3 weeks ago @webflo Are you able to confirm this issue? Thank you!
greggles
commented
3 weeks ago I don't know how the internals of this project works, but I want to mention that for the drupal/rest_views that the 1.x and 2.x branches are also vulnerable and do not have a fix. I'm not sure if the notation added here fully captures that.
naderman
commented
3 weeks ago The package is currently not updateable on packagist.org as it reports validation issues with the composer.json of this package on the 8.x and 9.x branches:
Importing branch 8.x-v2 (dev-8.x-v2)
Skipped branch 8.x-v2, Invalid package information:
conflict.drupal/die_in_twig : this version constraint cannot possibly match anything (>=2,<2.0)
conflict.drupal/forum_access : this version constraint cannot possibly match anything (>=1,<1.0)
conflict.drupal/readonlymode : this version constraint cannot possibly match anything (>=1,<1.0)
Reading composer.json of https://github.com/drupal-composer/drupal-security-advisories (9.x)
Importing branch 9.x (9.x-dev)
Skipped branch 9.x, Invalid package information:
conflict.drupal/die_in_twig : this version constraint cannot possibly match anything (>=2,<2.0)
conflict.drupal/forum_access : this version constraint cannot possibly match anything (>=1,<1.0)
conflict.drupal/readonlymode : this version constraint cannot possibly match anything (>=1,<1.0)
webflo
commented
3 weeks ago Hi everyone,
I haven't maintained the package that well lately because drush has been reading the composer.json directly from the repo. Without going through Packagist.
Also the command ‘pm:security’ in drush was replaced by ‘composer audit’.
https://github.com/drush-ops/drush/commit/cb2610d5aa007b80bae4126b4cfb5454cd14dfe3 https://www.drupal.org/project/project_composer/issues/3301876
The compatibility with composer audit has been provided by the DA. Not sure if this project is needed anymore ...
greggles
commented
3 weeks ago @webflo maybe it would make sense to add an announcement about that fact to the README.md? or make the repo say it when installed sites try to use it?
matthew-IS
commented
2 weeks ago Is there a solution to this?
greggles
commented
2 weeks ago If I understand @webflo's comment the answer is:
composer remove drupal-composer/drupal-security-advisories to remove this project from your composer filecomposer audit into your build and QA workflows.webflo
commented
1 week ago I have marked it as abandoned on Packagist and updated the README. I'll leave the issue open in case there are any further questions.
We just noticed that Packagist is no longer listing the
9.xand8.x-v2branches. There was a recent commit that changed the composer.json file in those branches. Is there something causing those branches to no longer validate with Packagist?Here's the last commit: https://github.com/drupal-composer/drupal-security-advisories/commit/bf307e03144de838195ad716c2782ef241cf24dc
Here's the packagist page: https://packagist.org/packages/drupal-composer/drupal-security-advisories
Is there an issue with this constraint?
"drupal/rest_views": "3.0.0|3.0.0-alpha1|3.0.0-rc1|>=3.0,<3.0.1",Or, are we just waiting for Packagist to catch up to the changes?
Thank you for the support!
Screenshot of missing packages on Packagist: