Project

General

Profile

Actions

Bug #94782

closed

Revert "Declare core as replacement for t3g/svg-sanitizer"

Added by Oliver Hader over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
composer
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Using roave/security-advisories leads to problems, since replaced version was not specified explicitly

  Problem 1
    - Root composer.json requires typo3/cms-core 10.4.x@dev -> satisfiable by typo3/cms-core[10.4.x-dev].
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core 10.4.x-dev replaces t3g/svg-sanitizer *).
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Subtasks 1 (0 open1 closed)

Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updatesClosed2021-08-10

Actions

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #94719: Declare core as replacement for t3g/svg-sanitizerClosedOliver Hader2021-08-05

Actions
Actions #1

Updated by Oliver Hader over 3 years ago

  • Related to Task #94719: Declare core as replacement for t3g/svg-sanitizer added
Actions #2

Updated by Oliver Hader over 3 years ago

  • Is Regression set to Yes
Actions #3

Updated by Oliver Hader over 3 years ago

  • Description updated (diff)
Actions #4

Updated by Dan Kleine (Untenzu) over 3 years ago

  • Related to Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updates added
Actions #5

Updated by Oliver Hader over 3 years ago

  • Status changed from New to Accepted
Actions #6

Updated by Dan Kleine (Untenzu) over 3 years ago

Ah, I created an issue at about the same time. Thanks for closing the duplicate Oliver.

Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories (https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).

Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all allowed replacement versions of typo3/cms-core (Installations using older versions of t3g/svg-sanitizer will fail due to the typo3/cms-core conflict anyway).

Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".

Suggested Solution 3: Revert replacement. Just drop usage of the package.

Actions #7

Updated by Simon Gilli over 3 years ago

Thanks for your suggestions @Dan. We've already checked this before but as there can be other issues in the future we decided to remove the replace part again like mentioned by this issue title.

Actions #8

Updated by Oliver Hader over 3 years ago

  • Description updated (diff)
Actions #9

Updated by Gerrit Code Review over 3 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70433

Actions #10

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70434

Actions #11

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70435

Actions #12

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436

Actions #13

Updated by Oliver Hader over 3 years ago

  • Status changed from Under Review to Resolved
Actions #14

Updated by Benni Mack over 3 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF