Bug #94784

Bug #94782: Revert "Declare core as replacement for t3g/svg-sanitizer"

t3g/svg-sanitizer conflicts with roave/security-advisories which then blocks core updates

Added by Dan Untenzu 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2021-08-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

What did I do?

- Update an existing installation with typo3/cms-core:10.4.18 and roave/security-advisories:dev-latest

What did I expect?

- Composer update runs though, installs typo3/cms-core:10.4.19

What happend instead

- Composer keeps typo3/cms-core:10.4.18

Additional information

After removing roave/security-advisories, updating and adding roave/security-advisories it became clear, that this has to be an issue with #94719.
In this commit typo3/cms-core replaces t3g/svg-sanitizer, which is blocked for all versions < 1.0.3 by roave/security-advisories (See https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).

Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories.

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - bk2k/bootstrap-package is locked to version 11.0.3 and an update of this package was not requested.
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *).
    - bk2k/bootstrap-package 11.0.3 requires typo3/cms-core ^9.5 || ^10.0 || 10.*@dev -> satisfiable by typo3/cms-core[v10.4.19].
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *).
    - typo3/cms-core is locked to version v10.4.19 and an update of this package was not requested.

Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all replacement versions (typo3/cms-core)

Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".


Related issues

Related to TYPO3 Core - Task #94719: Declare core as replacement for t3g/svg-sanitizerClosedOliver Hader2021-08-05

Actions
#1

Updated by Dan Untenzu 4 months ago

  • Description updated (diff)
#2

Updated by Dan Untenzu 4 months ago

  • Related to Task #94719: Declare core as replacement for t3g/svg-sanitizer added
#3

Updated by Dan Untenzu 4 months ago

  • Related to Bug #94782: Revert "Declare core as replacement for t3g/svg-sanitizer" added
#4

Updated by Oliver Hader 4 months ago

  • Parent task set to #94782
#5

Updated by Oliver Hader 4 months ago

  • Status changed from New to Closed

→ duplicate of #94782

#6

Updated by Dan Untenzu 4 months ago

  • Description updated (diff)

Also available in: Atom PDF