Project

General

Profile

Bug #94784

Updated by Dan Kleine (Untenzu) over 3 years ago

*What did I do?* 

 - Update an existing installation with typo3/cms-core:10.4.18 and roave/security-advisories:dev-latest 

 *What did I expect?* 

 - Composer update runs though, installs typo3/cms-core:10.4.19 

 *What happend instead* 

 - Composer keeps typo3/cms-core:10.4.18 

 *Additional information* 

 After removing roave/security-advisories, updating and adding roave/security-advisories it became clear, that this has to be an issue with #94719. 
 In this commit typo3/cms-core replaces t3g/svg-sanitizer, which is blocked for all versions < 1.0.3 by roave/security-advisories (See https://github.com/Roave/SecurityAdvisories/blob/latest/composer.json#L285). 

 Since an asterisk was used Composer will match *every* version of t3g/svg-sanitizer as replaced by typo3/cms-core. This means that during the dependency update Composer will keep the first matching version string of t3g/svg-sanitizer, which then is blocked by the conflict in roave/security-advisories. 

 <pre> 
 Your requirements could not be resolved to an installable set of packages. 

   Problem 1 
     - bk2k/bootstrap-package is locked to version 11.0.3 and an update of this package was not requested. 
     - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *). 
     - bk2k/bootstrap-package 11.0.3 requires typo3/cms-core ^9.5 || ^10.0 || 10.*@dev -> satisfiable by typo3/cms-core[v10.4.19]. 
     - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master]. 
 </pre> 

 <pre> 
 Your requirements could not be resolved to an installable set of packages. 

   Problem 1 
     - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master]. 
     - roave/security-advisories dev-master conflicts with t3g/svg-sanitizer <1.0.3 (typo3/cms-core v10.4.19 replaces t3g/svg-sanitizer *). 
     - typo3/cms-core is locked to version v10.4.19 and an update of this package was not requested. 
 </pre> 

 Suggested Solution 1: Remove the conflict block for t3g/svg-sanitizer in roave/security-advisories - Since the affected versions are fixed in all replacement versions (typo3/cms-core) 

 Suggested Solution 2: Replace a specific version in typo3/cms-core, version, not a joker version: Use <code>"t3g/svg-sanitizer": ">=1.0.3"</code> instead of <code>"t3g/svg-sanitizer": "*"</code>. 

Back