Bug #94782
closed
Revert "Declare core as replacement for t3g/svg-sanitizer"
Added by Oliver Hader over 3 years ago.
Updated about 3 years ago.
Estimated time:
(Total: 0.00 h)
Description
Using roave/security-advisories leads to problems, since replaced version was not specified explicitly
Problem 1
- Root composer.json requires typo3/cms-core 10.4.x@dev -> satisfiable by typo3/cms-core[10.4.x-dev].
- roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core 10.4.x-dev replaces t3g/svg-sanitizer *).
- Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
- Related to Task #94719: Declare core as replacement for t3g/svg-sanitizer added
- Description updated (diff)
- Related to Bug #94784: t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updates added
- Status changed from New to Accepted
Ah, I created an issue at about the same time. Thanks for closing the duplicate Oliver.
Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories (https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).
Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all allowed replacement versions of typo3/cms-core (Installations using older versions of t3g/svg-sanitizer will fail due to the typo3/cms-core conflict anyway).
Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".
Suggested Solution 3: Revert replacement. Just drop usage of the package.
Thanks for your suggestions @Dan. We've already checked this before but as there can be other issues in the future we decided to remove the replace part again like mentioned by this issue title.
- Description updated (diff)
- Status changed from Accepted to Under Review
- Status changed from Under Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by