search

paratestphp / paratest

:computer: Parallel testing for PHPUnit
MIT License
2.32k stars 229 forks source link

Not installable due to CVE in symfony/process #903

Closed gndk closed 1 week ago

gndk commented 1 week ago

Fixed by #902 Fixed by #904 

Your requirements could not be resolved to an installable set of packages.
  Problem 1
    - brianium/paratest is locked to version v7.4.8 and an update of this package was not requested.
    - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
    - brianium/paratest v7.4.8 requires symfony/process ^6.4.7 || ^7.1.5 -> satisfiable by symfony/process[v7.1.6].
    - roave/security-advisories dev-latest conflicts with symfony/process <5.4.46|>=6,<6.4.14|>=7,<7.1.7.
Slamdunk commented 1 week ago

I don't understand how this is blocking: caret version pins are open by design for this very purpose.

Your PR are very welcome, but this bug is invalid.

gndk commented 1 week ago

I don't understand how this is blocking: caret version pins are open by design for this very purpose.

Your PR are very welcome, but this bug is invalid.

I went back to check why exactly it was blocking. The issue was that my composer.lock still had symfony/process 7.1.6 in it (not a direct dependency in my project), because I have hourly dependency updates with Renovate (which alerted me to this), but only nightly "lockfile maintenance". So simply updating the lockfile fixed it.