Bug #101675
Updated by Stefan P 9 months ago
This github advisory suggests installing an ELTS release: https://github.com/advisories/GHSA-m8fw-p3cr-6jqc
These advisories are used by https://github.com/Roave/SecurityAdvisories to create its composer.json.
This leads to this behaviour: https://github.com/Roave/SecurityAdvisories/issues/120
*Summary* : when using @composer update@ on an EOL-but-non-ELTS TYPO3 version it will fail completly when depending on the roave security advisories. So this means you can not even update non-TYPO3 packages this way. Only by spending hours of manually doing an @composer update vendor/package@ for hundreds of packages _individually_ ! Or by dropping the security-advisory dependency (meaning: dropping advisories for non-TYPO3 packages as well). Both are no options for big setups.
*This also means if you "inherit" a TYPO3 installation from another agency, that for some reason is not even latest free release, you can not update it to the latest free-release easily.*
A security advisory should never-ever force-suggest paid-only versions that once where free.
I flagged this as a regression, because @composer update@ worked on v8-10 and now it does not anymore.
Since I had to select a TYPO3 version in this issue, I selected v12, because it basically is affecting ALL version sooner or later.
(I really hope this wasn't by intention - forcing people in the paid ELTS plan by soft-blocking updates to 3rd party packages this way, would really shine a bad light on TYPO3)