Bug #94782
closed
Revert "Declare core as replacement for t3g/svg-sanitizer"
100%
Description
Using roave/security-advisories leads to problems, since replaced version was not specified explicitly
Problem 1
- Root composer.json requires typo3/cms-core 10.4.x@dev -> satisfiable by typo3/cms-core[10.4.x-dev].
- roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core 10.4.x-dev replaces t3g/svg-sanitizer *).
- Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
Updated by Oliver Hader over 3 years ago
- Related to Task #94719: Declare core as replacement for t3g/svg-sanitizer added
Updated by Dan Kleine (Untenzu) over 3 years ago
- Related to Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updates added
Updated by Dan Kleine (Untenzu) over 3 years ago
Ah, I created an issue at about the same time. Thanks for closing the duplicate Oliver.
Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories (https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).
Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all allowed replacement versions of typo3/cms-core (Installations using older versions of t3g/svg-sanitizer will fail due to the typo3/cms-core conflict anyway).
Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".
Suggested Solution 3: Revert replacement. Just drop usage of the package.
Updated by Simon Gilli over 3 years ago
Thanks for your suggestions @Dan. We've already checked this before but as there can be other issues in the future we decided to remove the replace part again like mentioned by this issue title.
Updated by Gerrit Code Review over 3 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70433
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 11.3 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70434
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70435
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436
Updated by Oliver Hader over 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset 85342760218833030272d5136122ae30efb0cf69.
Updated by