I see that since yesterday you've added Drupal Contrib Modules to your great package.

I like that, but it currently breaks my composer on all my D8-projects, because all versions of drupal/entity are marked as unsafe:"drupal/entity": ">=1,<1.9"

At least the latest (1.0-rc1) version has been found safe by the Drupal Security Team: https://www.drupal.org/project/entity

Hello.

We are still using symfony 4.4.* on our project, but commit https://github.com/Roave/SecurityAdvisories/commit/94a98d36257ecb87064ae581a2e04b381119ac57 (latest commit currently) conflicts with all versions symfony/framework-bundle from 4.4 branch (branch 4.4 still maintained https://symfony.com/releases/4.4). I suppose that this is because of https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms, but this is relates to package with verions 5 and 6.

Would you be so kind to clarify, why do you have this in composer.json? Would you be so kind to fix this?

Thank you in advance.

https://github.com/Roave/SecurityAdvisories/commit/bc10788e8d1fc3c962d92faa2442bd1852c08c03#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34R139 is not a valid inclusion in this package because it is unactionable and prevents existing Laravel projects from updating their dependencies while requiring this package.

The inclusion of that line stems from https://github.com/advisories/GHSA-246r-r2wf-frhx which is a security advisory about a weak default value in the laravel/laravel project demo / template repository. The problem stems from the fact that laravel/laravel is not a dependency that is pulled into other projects, it is instead a base point that other projects start from.

This causes issues with a large amount of existing (and new) Laravel projects because most people don't change the name property in their project's composer.json file, meaning that a significant number of projects out there have name: laravel/laravel in their composer.json files, which means that this package will (falsely) now conflict with their very own project's composer.json file.

The specific error message presented to users in the above case is the following:

Problem 1
    - laravel/laravel is present at version 1.0.0+no-version-set and cannot be modified by Composer
    - roave/security-advisories dev-master conflicts with roave/security-advisories dev-master.
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

typo3/cms-core v10.4.19 conflicts with roave/security-advisories dev-latest.

I can't update my TYPO3 since the new security releases are online.

Is this a bug from roave or TYPO3?

When a package has several vulnerabilities, the generated conflict constraint may be much more complex than necessary. See for instance the rule for FOSUserBundle (much simpler than the symfony one):

>=1.2.0,<1.2.1|>=1.2.0,<1.2.4|>=1.2.0,<1.3.0|>=1.3.0,<1.3.5|>=1.2.0,<1.2.5|>=1.3.0,<1.3.3

The third constraint is a superset of the first 2 ones (and of the 5th one). Deduplicating constraints would make the dependency resolution much easier for Composer later.

Since there are no stable releases, only dev-master, our CI jobs are failed in weird way.

When I run composer outdated --direct --minor-only --strict locally, I have 0 exit code and everything is OK. In Gitlab CI job I get:

roave/security-advisories dev-master ! dev-master 6acf968 Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

AFAIS 6acf968 is latest commit and we have it in composer.lock so I don't get why COmposer complains about it.

Anyway, do you consider providing stable releases? This shouldn't add much to maintaining time (just create tags) and it would bring added value:

• Do not depend on unstable package (dev-master) in projects
• composer outdated would report this package in the same way like others

If all tags would be in 1.x branch, constraint ~1.0 would work the same as dev-master. So this is only up to maintainers it they want to provide tags (releases).

Today the Travis tests for one of my bundles started failing with no apparent reason in its code (log: https://travis-ci.org/kaliop-uk/ezmigrationbundle/jobs/395645840 )

The travis log tells me that composer failed to install the dependencies - but in a quite non obvious way, as the offending package is listed as being 'roave/security-advisories dev-master', instead of the one that SecurityAdvisories conflicts with.

It might well be that this is rather a composer problem with not giving more detailed information about the conflict - but in the current situation it is hard for me to find out which package prevents composer to achieve an installation, as the list of dependencies is huge.

It is also not as easy to simply 'not include SecurityAdvisories' in the composer.json that I use for Travis tests, as it is in fact pulled in by a dependency (my bundle is a plugin for a cms, and it pulls in the cms as dependency when running its test suite. The cms seems to be the one now including SecurityAdvisories).

And all things considered, I'd rather still run my tests against a complete matrix of versions of the supported core system, even though some of those might now be known to have security issues.

It would be nice to have at least some tips for working around this situation in the Readme file...

Change/blame seen here: https://github.com/Roave/SecurityAdvisories/blame/bac54e18ee767f065d88b81c8517fb21cd6414ab/composer.json#L98

Was changed in commit: https://github.com/Roave/SecurityAdvisories/commit/bad3752fd78f4a07acb24e56fec0366aa711f150

I'm not quite seeing any recent change in https://github.com/FriendsOfPHP/security-advisories/tree/master/facade/ignition

Had a little monologue about it here 😅: https://twitter.com/HenkPoley/status/1460186738689773569

It currently blocks installing Laravel 6.x for me. Which is still in security support for about a year, so I'd be surprised if there actually was an unfix{ed,able} problem.

I'm on an old project and would like to add this tool. However, I'm getting this result:

$ composer require --dev roave/security-advisories:dev-master
    1/2:	http://packagist.org/p/provider-latest$272b2375b59d963722fae33cda2f21391d74cabff9314e72be645ef506ffb148.json
    2/2:	http://packagist.org/p/provider-2018-10$e848d0ea86ecaa3b0f19d91a3e0c77a2ace231a51e677fdfbe6425d20a82ece2.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for … -> satisfiable by ….
    - roave/security-advisories dev-master conflicts with ….
    - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].


Installation failed, reverting ./composer.json to its original content.

The composer why-not is not helpful either.

$ composer why-not --recursive roave/security-advisories dev-master


  [InvalidArgumentException]
  Could not find package "roave/security-advisories" in your project


prohibits [-r|--recursive] [-t|--tree] [--] <package> [<constraint>]

Is there any known way to handle this situation? I mean something more useful and precise other than "just update everything".

The README states that the following command is sufficient to manually trigger a security version check (see #59).

composer update --dry-run roave/security-advisories

This does not seem to work however.

I made an example repository (https://github.com/pixelbrackets/SecurityAdvisoriesTest/) with the TYPO3 CMS locked to version 10.4.5. The skeleton project has the core package »typo3/cms-core« as dependency. And I added »roave/security-advisories« as dependency as well.

composer show typo3/cms-core
name     : typo3/cms-core
descrip. : The core library of TYPO3.
keywords : 
versions : * v10.4.5

composer show roave/security-advisories
name     : roave/security-advisories
descrip. : Prevents installation of composer packages with known security vulnerabilities: no API, simply require it
keywords : 
versions : * dev-master

A new TYPO3 version 10.4.6, containing security fixes, was released today: https://packagist.org/packages/typo3/cms-core#v10.4.6

The version constraint is already merged into »roave/security-advisories«: https://github.com/Roave/SecurityAdvisories/blob/master/composer.json#L216

The given command should now return any kind of information, that 10.4.5 is not valid anymore. This is not the case however.

I use Composer version 1.10.9.

Hi,

I noticed that unisharp/laravel-filemanager has been added to the conflicts in the following commit: https://github.com/Roave/SecurityAdvisories/commit/5369c567667640bc617d0c6b1ba7c156128ccec5. The commit description links to a codeigniter security advisory, which doesn't seem relevant for this package. I've noticed the following issue on the filemanager's repository: https://github.com/UniSharp/laravel-filemanager/issues/1096, does it have anything to do with this?

Split installation and usage description.

Extend description how the package works and when it runs.

Explain need for Composer 2 in manual version checks (see #66)