Project

General

Profile

Actions

Bug #101675

closed

Updating EOL-releases using non-ELTS and depending on roave/security-advisories fails because of security advisories to ELTS

Added by Stefan P 6 months ago. Updated 6 months ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
composer
Target version:
-
Start date:
2023-08-14
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

This github advisory suggests installing an ELTS release: https://github.com/advisories/GHSA-m8fw-p3cr-6jqc

These advisories are used by https://github.com/Roave/SecurityAdvisories to create its composer.json.

This leads to this behaviour: https://github.com/Roave/SecurityAdvisories/issues/120

Summary : when using composer update on an EOL-but-non-ELTS TYPO3 version it will fail completly when depending on the roave security advisories. So this means you can not even update non-TYPO3 packages this way. Only by spending hours of manually doing an composer update vendor/package for hundreds of packages individually ! Or by dropping the security-advisory dependency (meaning: dropping advisories for non-TYPO3 packages as well). Both are no options for big setups.

This also means if you "inherit" a TYPO3 installation from another agency, that for some reason is not even latest free release, you can not update it to the latest free-release easily.

A security advisory should never-ever force-suggest paid-only versions that once where free.

I flagged this as a regression, because composer update worked on v8-10 and now it does not anymore.
Since I had to select a TYPO3 version in this issue, I selected v12, because it basically is affecting ALL version sooner or later.

(I really hope this wasn't by intention - forcing people in the paid ELTS plan by soft-blocking updates to 3rd party packages this way, would really shine a bad light on TYPO3)

Actions

Also available in: Atom PDF