TYPO3 Core

What did I do?

- Update an existing installation with typo3/cms-core:10.4.18 and roave/security-advisories:dev-latest

What did I expect?

- Composer update runs though, installs typo3/cms-core:10.4.19

What happend instead

- Composer keeps typo3/cms-core:10.4.18

Additional information

After removing roave/security-advisories, updating and adding roave/security-advisories it became clear, that this has to be an issue with #94719.
In this commit typo3/cms-core replaces t3g/svg-sanitizer, which is blocked for all versions < 1.0.3 by roave/security-advisories (See https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285).

Since an asterisk was used Composer will match every version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories.

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - bk2k/bootstrap-package is locked to version 11.0.3 and an update of this package was not requested.
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *).
    - bk2k/bootstrap-package 11.0.3 requires typo3/cms-core ^9.5 || ^10.0 || 10.*@dev -> satisfiable by typo3/cms-core[v10.4.19].
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
    - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *).
    - typo3/cms-core is locked to version v10.4.19 and an update of this package was not requested.

Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all replacement versions (typo3/cms-core)

Suggested Solution 2: Replace a specific version in typo3/cms-core, not a joker version: Use "t3g/svg-sanitizer": ">=1.0.3" instead of "t3g/svg-sanitizer": "*".