Magento <2.4.6 (2.4.4 & 2.4.5) forces us to use an unsupported version of Symfony.

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.

http://www.magento.com

Open Software License 3.0

11.54k stars 9.32k forks source link

Magento <2.4.6 (2.4.4 & 2.4.5) forces us to use an unsupported version of Symfony. #39338

Open youwe-erik opened 3 hours ago

youwe-erik commented 3 hours ago

Summary:

Magento 2.4.4 and 2.4.5 require: "symfony/console": "~4.4.0", "symfony/event-dispatcher": "~4.4.0", "symfony/process": "~4.4.0",

These versions of Symfony (v4) have not and will not receive security updates for about a year now (source: https://symfony.com/releases - "End of support: Nov 2023").

A critical issue has been reported for the "symfony/process" package ( CVE-2024-51736 ) and we currently cannot get around this except by using ugly workarounds.

Preconditions (*)

Magento 2.4.4-p and Magento 2.4.5-p

Steps to reproduce (*)

Install any Magento 2.4.4 or 2.4.5 project and try to update the Symfony packages to a supported version.

Expected result (*)

Magento does not require unsupported packages.

Actual result (*)

Magento is forcing us to install unsupported v4 versions of Symfony.

m2-assistant[bot] commented 3 hours ago

Hi @youwe-erik. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

For more details, review the Magento Contributor Assistant documentation.
Add a comment to assign the issue: @magento I am working on this
To learn more about issue processing workflow, refer to the Code Contributions.

Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

youwe-erik commented 3 hours ago

FYI: One of the ugly workarounds basically is: composer require symfony/process:"5.4.46 as 4.4.44" Of course it's hard to say what effect this will have exactly.

hostep commented 2 hours ago

Note that it's not as critical as it sounds, since the vulnerability only exists on Windows based systems. Magento is officially not supported to run on Windows...

But would still be nice indeed to be able to update to supported versions of symfony package(s).

On Magento 2.4.6-pX the issue also exists, because in 2.4.6-p2 the constraint "symfony/process": "<=v5.4.23" got added for some reason, which also prevents us to go to the latest version.

leonhelmus commented 2 hours ago

@hostep you mean in the composer root right? We resolved that by increasing the package from "symfony/process": "<=v5.4.23" to "symfony/process": "<=v5.4.46" or "symfony/process": "<v5.5"

hostep commented 2 hours ago

Yeah I know, but I don't want to do that before I know the reason why Adobe decided to add that constraint in the first place.

leonhelmus commented 1 hour ago

@hostep You are right, but this was to atleast tell others who have the issue how to resolve it for now. It seems to be added specific for magento/magento2-functional-testing-framework as well in 4.4.0 / .

Im also wondering since i got a dependency conflict if i can safely upgrade magento to the latest version: magento/magento2-functional-testing-framework

to resolve the issues.