Bug #94782

Revert "Declare core as replacement for t3g/svg-sanitizer"

Added by Oliver Hader 3 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
composer
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Using roave/security-advisories leads to problems, since replaced version was not specified explicitly

  Problem 1
    - Root composer.json requires typo3/cms-core 10.4.x@dev -> satisfiable by typo3/cms-core[10.4.x-dev].
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core 10.4.x-dev replaces t3g/svg-sanitizer *).
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Subtasks

Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updatesClosed2021-08-10

Actions

Related issues

Related to TYPO3 Core - Task #94719: Declare core as replacement for t3g/svg-sanitizerClosedOliver Hader2021-08-05

Actions
#1

Updated by Oliver Hader 3 months ago

  • Related to Task #94719: Declare core as replacement for t3g/svg-sanitizer added
#2

Updated by Oliver Hader 3 months ago

  • Is Regression set to Yes
#3

Updated by Oliver Hader 3 months ago

  • Description updated (diff)
#4

Updated by Dan Untenzu 3 months ago

  • Related to Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updates added
#5

Updated by Oliver Hader 3 months ago

  • Status changed from New to Accepted
#6

Updated by Dan Untenzu 3 months ago

Ah, I created an issue at about the same time. Thanks for closing the duplicate Oliver.

Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories (https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).

Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all allowed replacement versions of typo3/cms-core (Installations using older versions of t3g/svg-sanitizer will fail due to the typo3/cms-core conflict anyway).

Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".

Suggested Solution 3: Revert replacement. Just drop usage of the package.

#7

Updated by Simon Gilli 3 months ago

Thanks for your suggestions @Dan. We've already checked this before but as there can be other issues in the future we decided to remove the replace part again like mentioned by this issue title.

#8

Updated by Oliver Hader 3 months ago

  • Description updated (diff)
#9

Updated by Gerrit Code Review 3 months ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70433

#10

Updated by Gerrit Code Review 3 months ago

Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70434

#11

Updated by Gerrit Code Review 3 months ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70435

#12

Updated by Gerrit Code Review 3 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436

#13

Updated by Oliver Hader 3 months ago

  • Status changed from Under Review to Resolved
#14

Updated by Benni Mack about 2 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF