Fix composer requirement

magento / composer-root-update-plugin

Open Software License 3.0

57 stars 17 forks source link

Fix composer requirement #25

Closed sippsolutions closed 3 years ago

sippsolutions commented 3 years ago

Composer version 1.10.20 (as defined in dependency) has a security vulnerability.

composer/composer (1.10.20)

CVE-2021-29472: Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial https://github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx

This also fixes #23 (#24).

sippsolutions commented 3 years ago

@pdohogne-magento please review asap :)

cmuench commented 3 years ago

The #24 should also be fine with this PR.

igorwulff commented 3 years ago

This issue is now blocking certain processes for us now. So I hope this can get reviewed asap.

Just wondering why patch versions were even restricted. That's very concerning since it now blocks us from doing security updates. This PR seems to at least resolve that. :-)

cmuench commented 3 years ago

@pdohogne-magento How can we speedup the process here? It's currently blocking several build pipelines in customer projects. It very common that security scans are done in CI pipelines or in git commit hooks. In our case we had to disable security checks due to this issue here.