allan-simon
commented
2 years ago @singpolyma is there something I can do to help merging this PR ?
Closed Maikuolan closed 2 years ago
allan-simon
commented
2 years ago @singpolyma is there something I can do to help merging this PR ?
singpolyma
commented
2 years ago Maybe I don't understand how composer constraints work, but does this actually fix anything? Won't composer get the latest version anyway unless you tell it to do otherwise?
allan-simon
commented
2 years ago it's more a "this way you can't , even by mistake, install openpgp-php with a insecure dependencies"
i.e
day 1:
I install a lib that brings as a deps phpseclib with "*" as a requirement and I get it as the insecure version (as it was the latest of that time)
day 200: I'm the "don't fix it if it's ain't broken kind of guy" and so i prefer to add new library with the minimum of upgrade needed
-> without this , you will still stay with an insecure version -> with this the user will have this lib upgraded
Rotzbua
commented
2 years ago Won't composer get the latest version anyway unless you tell it to do otherwise?
Yes, if just your lib has this dependency.
Other lib: 2.0.0
Your lib: ^2.0 !=2.0.8
=> composer loads 2.0.0
Other lib: 2.0.0
Your lib: ^2.0.31
=> composer shows error and does not load insecure 2.0.0
singpolyma
commented
2 years ago Alright. I don't love putting wrong metadata on but I guess if it fixes bad practise probably no one is using such an old version anyway, and if they need to continue for some reason they can change it back themselves easily.
See: https://github.com/advisories/GHSA-vf4w-fg7r-5v94