Closed GaneshKandu closed 2 years ago
Im getting the same error
@joelpittet - possible your PR here is involved? #10895
I wonder if it wants us to set the version in Snipe-IT's own composer file? Then it won't yell at us because Snipe-IT is the "wrong version"?
I don't think so - I think the issue is here:
We've never had to set a version anywhere with that library before - but also those versions are old and inaccurate.
I've pulled the library for right now, so people can still install from master at least.
@snipe thanks for looping me in on this. It looks like it might be caught in the <= 6.0.0-RC-5
I'll see if I can't fix that in a PR over at roave.
"snipe/snipe-it": "<= 6.0.0-RC-5|<5.3.11",
should become
"snipe/snipe-it": "<5.3.11|>=6,<=6.0.0-RC-5",
This tool is invaluable! https://semver.madewithlove.com/?package=snipe%2Fsnipe-it&constraint=%3C5.3.11|%3C%3D6.0.0-RC-5&stability=stable
PR submitted over there, 🤞, it looks like some automated tool did mistake 8 days ago when it generated the constraints. I hope this doesn't open too much of a 🐰🕳
Also, sorry for the trouble, I should have kept my scope the same and small on that PR that originally caused this.
@uberbrady Can you edit https://github.com/advisories/GHSA-636j-7x7r-gvw2 to change the constraints there? Also congrats on your first CVE 🎉
Oh apparently I can! https://github.com/github/advisory-database/pull/198
Thanks for jumping on this, @joelpittet! <3
Is this something we'll have to PR against every time we release? We never used to have to do that. It's okay if we need to moving forward, but I'll have to find a way to automate it, since I'll 100% forget.
@snipe they merged the PR! I think @uberbrady would have created that original advisory (directly or indirectly)? If so he'd just need to add the 5.x fixed version in there as well. I fixed it by not making a PR directly (it was generated) but by clicking this little link in the bottom right of the existing advisory message. Try clicking it to see what I mean...
@snipe to ease your concerns it should be set and forget, the only time you need to do anything (akak "make new releases with fixes") is when a CVE targets a release greater than the above constraints. Because it was originally only saying fixes were in <=6.0.0-RC-5
it was inadvertently saying all of 5.x is vulnerable as well.
The 🤖 bots have updated roave/security-advisories now too (4 hours ago)! https://github.com/Roave/SecurityAdvisories/blob/370b357e26aeed8d2b450026954eda969b2db0dc/composer.json#L317
GitHub:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily - SecurityAdvisories/composer.json at 370b357e26aeed8d2b450026954eda969b2db0dc · Roave/SecurityAdvisories
I am still getting this issue in snipe-it 5.4.3
I am still getting this issue in snipe-it 5.4.3
@GaneshKandu can you post the error output so I can try to reproduce the error?
Problem 1
- snipe/snipe-it is present at version 1.0.0+no-version-set and cannot be modified by Composer
- roave/security-advisories dev-latest conflicts with snipe/snipe-it <5.3.11.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
@GaneshKandu ah yeah because that packaged version has an old version of roave/security-advisories
. Two ways to fix this:
composer update roave/security-advisories
before running composer install
, maybe something to add to the release notes @snipe ?roave/security-advisories
1.
composer install --no-dev --prefer-source
This command taking lot of time to download. mentioned here https://snipe-it.readme.io/docs/install-dependencies
downloads about 1+gb of files
2.
composer install --no-dev
and
composer update roave/security-advisories before running composer install, maybe something to add to the release notes @snipe ?
downloads the same package and its working
composer install
give this error
Problem 1
- snipe/snipe-it is present at version 1.0.0+no-version-set and cannot be modified by Composer
- roave/security-advisories dev-latest conflicts with snipe/snipe-it <5.3.11.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
Snipe-IT DocumentationComposer is a package manager for PHP that allows us to manage the dependencies for the various vendor packages we utilize in Snipe-IT. Vendor packages are PHP libraries that someone else wrote, and that we use in Snipe-IT to help make it awesome. These are not the same thing as the system requireme...
This version is pretty old, so I don't think we'd be making any movements on fixing this at this time.
Debug mode
Describe the bug
I am getting issue while install of snipe-it 5.4.2 using composer. Package downloaded from github https://github.com/snipe/snipe-it/archive/refs/tags/v5.4.2.zip
This also not updated on 5.4.2 https://packagist.org/packages/snipe/snipe-it
Reproduction steps
Download dependencies using composer.
https://snipe-it.readme.io/v5.2.0/docs/install-dependencies#i-classfa-fa-linuxi-linux--osx
Expected behavior
successful installation of dependencies.
Screenshots
No response
Snipe-IT Version
5.4.2
Operating System
Linux CentOS 7
Web Server
Apache
PHP Version
PHP 7.4.25
Operating System
Windows
Browser
Firefox
Version
99.0 (64-bit)
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages