Closed albe closed 3 years ago
kdambekalns
commented
3 years ago For the record:
bwaidelich
commented
3 years ago the signature changes is in Fluid 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.511, 2.6.10
For the record. This is mentioned in the corresponding security advisory: https://typo3.org/security/advisory/typo3-core-sa-2020-009
kdambekalns
commented
3 years ago Flow 4.3 to 5.2 are adjusted with https://github.com/neos/flow-development-collection/pull/2298 now (next release pending)
albe
commented
3 years ago Idea/Question: Would it maybe make sense to "freeze" dependencies with a composer.lock for EOL versions? Would that prevent old versions getting broken by dependencies effectively, or just make installing those versions harder (because strict dependency versions)?
kdambekalns
commented
3 years ago Hm. I think won't work that easily, because the lock file is about to change whenever you actually do something with the project.
And someone using an EOL version (just like anybody else), should test updates and can easily undo updates, pin specific packages as needed, …
albe
commented
3 years ago Guess this can be closed
See https://github.com/neos/flow-development-collection/pull/2257 - fixing this would be a breaking change though, because we need to adjust the signature of an
@apimethod. Alternatively, we disallow installing those versions - but that is shutting down our users from any further security fixes (like the one causing this breaking change).