Updating EOL-releases using non-ELTS and depending on roave/security-advisories fails because of security advisories to ELTS
This github advisory suggests installing an ELTS release: https://github.com/advisories/GHSA-m8fw-p3cr-6jqc
These advisories are used by https://github.com/Roave/SecurityAdvisories to create its composer.json.
This leads to this behaviour: https://github.com/Roave/SecurityAdvisories/issues/120
Summary : when using
composer update on an EOL-but-non-ELTS TYPO3 version it will fail completly when depending on the roave security advisories. So this means you can not even update non-TYPO3 packages this way. Only by spending hours of manually doing an
composer update vendor/package for hundreds of packages individually ! Or by dropping the security-advisory dependency (meaning: dropping advisories for non-TYPO3 packages as well). Both are no options for big setups.
This also means if you "inherit" a TYPO3 installation from another agency, that for some reason is not even latest free release, you can not update it to the latest free-release easily.
A security advisory should never-ever force-suggest paid-only versions that once where free.
I flagged this as a regression, because
composer update worked on v8-10 and now it does not anymore.
Since I had to select a TYPO3 version in this issue, I selected v12, because it basically is affecting ALL version sooner or later.
(I really hope this wasn't by intention - forcing people in the paid ELTS plan by soft-blocking updates to 3rd party packages this way, would really shine a bad light on TYPO3)