itr6
commented
2 years ago Im getting the same error
Closed GaneshKandu closed 2 years ago
itr6
commented
2 years ago Im getting the same error
snipe
commented
2 years ago @joelpittet - possible your PR here is involved? #10895
uberbrady
commented
2 years ago I wonder if it wants us to set the version in Snipe-IT's own composer file? Then it won't yell at us because Snipe-IT is the "wrong version"?
snipe
commented
2 years ago I don't think so - I think the issue is here:
We've never had to set a version anywhere with that library before - but also those versions are old and inaccurate.
I've pulled the library for right now, so people can still install from master at least.
joelpittet
commented
2 years ago @snipe thanks for looping me in on this. It looks like it might be caught in the <= 6.0.0-RC-5 I'll see if I can't fix that in a PR over at roave.
"snipe/snipe-it": "<= 6.0.0-RC-5|<5.3.11",
should become
"snipe/snipe-it": "<5.3.11|>=6,<=6.0.0-RC-5",
joelpittet
commented
2 years ago This tool is invaluable! https://semver.madewithlove.com/?package=snipe%2Fsnipe-it&constraint=%3C5.3.11|%3C%3D6.0.0-RC-5&stability=stable
PR submitted over there, 🤞, it looks like some automated tool did mistake 8 days ago when it generated the constraints. I hope this doesn't open too much of a 🐰🕳
joelpittet
commented
2 years ago Also, sorry for the trouble, I should have kept my scope the same and small on that PR that originally caused this.
joelpittet
commented
2 years ago @uberbrady Can you edit https://github.com/advisories/GHSA-636j-7x7r-gvw2 to change the constraints there? Also congrats on your first CVE 🎉
joelpittet
commented
2 years ago Oh apparently I can! https://github.com/github/advisory-database/pull/198
snipe
commented
2 years ago Thanks for jumping on this, @joelpittet! <3
Is this something we'll have to PR against every time we release? We never used to have to do that. It's okay if we need to moving forward, but I'll have to find a way to automate it, since I'll 100% forget.
joelpittet
commented
2 years ago @snipe they merged the PR! I think @uberbrady would have created that original advisory (directly or indirectly)? If so he'd just need to add the 5.x fixed version in there as well. I fixed it by not making a PR directly (it was generated) but by clicking this little link in the bottom right of the existing advisory message. Try clicking it to see what I mean...
https://github.com/advisories/GHSA-636j-7x7r-gvw2
joelpittet
commented
2 years ago @snipe to ease your concerns it should be set and forget, the only time you need to do anything (akak "make new releases with fixes") is when a CVE targets a release greater than the above constraints. Because it was originally only saying fixes were in <=6.0.0-RC-5 it was inadvertently saying all of 5.x is vulnerable as well.
The 🤖 bots have updated roave/security-advisories now too (4 hours ago)! https://github.com/Roave/SecurityAdvisories/blob/370b357e26aeed8d2b450026954eda969b2db0dc/composer.json#L317
GitHub
:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily - SecurityAdvisories/composer.json at 370b357e26aeed8d2b450026954eda969b2db0dc · Roave/SecurityAdvisories
GaneshKandu
commented
2 years ago I am still getting this issue in snipe-it 5.4.3
joelpittet
commented
2 years ago I am still getting this issue in snipe-it 5.4.3
@GaneshKandu can you post the error output so I can try to reproduce the error?
GaneshKandu
commented
2 years ago Problem 1
- snipe/snipe-it is present at version 1.0.0+no-version-set and cannot be modified by Composer
- roave/security-advisories dev-latest conflicts with snipe/snipe-it <5.3.11.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
@GaneshKandu ah yeah because that packaged version has an old version of roave/security-advisories. Two ways to fix this:
composer update roave/security-advisories before running composer install, maybe something to add to the release notes @snipe ?roave/security-advisoriesGaneshKandu
commented
2 years ago 1.
composer install --no-dev --prefer-source
This command taking lot of time to download. mentioned here https://snipe-it.readme.io/docs/install-dependencies
downloads about 1+gb of files
2.
composer install --no-dev and
composer update roave/security-advisories before running composer install, maybe something to add to the release notes @snipe ?
downloads the same package and its working
composer install
give this error
Problem 1
- snipe/snipe-it is present at version 1.0.0+no-version-set and cannot be modified by Composer
- roave/security-advisories dev-latest conflicts with snipe/snipe-it <5.3.11.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.Snipe-IT DocumentationComposer is a package manager for PHP that allows us to manage the dependencies for the various vendor packages we utilize in Snipe-IT. Vendor packages are PHP libraries that someone else wrote, and that we use in Snipe-IT to help make it awesome. These are not the same thing as the system requireme...
snipe
commented
2 years ago This version is pretty old, so I don't think we'd be making any movements on fixing this at this time.
Debug mode
Describe the bug
I am getting issue while install of snipe-it 5.4.2 using composer. Package downloaded from github https://github.com/snipe/snipe-it/archive/refs/tags/v5.4.2.zip
This also not updated on 5.4.2 https://packagist.org/packages/snipe/snipe-it
Reproduction steps
Download dependencies using composer.
https://snipe-it.readme.io/v5.2.0/docs/install-dependencies#i-classfa-fa-linuxi-linux--osx
Expected behavior
successful installation of dependencies.
Screenshots
No response
Snipe-IT Version
5.4.2
Operating System
Linux CentOS 7
Web Server
Apache
PHP Version
PHP 7.4.25
Operating System
Windows
Browser
Firefox
Version
99.0 (64-bit)
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages