Project

General

Profile

Bug #101675

Updated by Stefan P 7 months ago

This github advisory suggests installing an ELTS release: https://github.com/advisories/GHSA-m8fw-p3cr-6jqc 

 These advisories are used by https://github.com/Roave/SecurityAdvisories to create its composer.json. 

 This leads to this behaviour: https://github.com/Roave/SecurityAdvisories/issues/120 

 *Summary* : when using @composer update@ on an EOL-but-non-ELTS TYPO3 version it will fail completly when depending on the roave security advisories. So this means you can not even update non-TYPO3 packages this way. Only by spending hours of manually doing an @composer update vendor/package@ for hundreds of packages _individually_ ! Or by dropping the security-advisory dependency (meaning: dropping advisories for non-TYPO3 packages as well). Both are no options for big setups. 

 *This also means if you "inherit" a TYPO3 from another agency, that for some reason is not even latest free release, you can not update it to the latest free-release easily.* 

 A security advisory should never-ever force-suggest paid-only versions that once where free. 

 I flagged this as a regression, because @composer update@ worked on v8-10 and now it does not anymore. 
 Since I had to select a TYPO3 version in this issue, I selected v12, because it basically is affecting ALL version sooner or later. 

 (I really hope this wasn't by intention - forcing people in the paid ELTS plan by soft-blocking updates to 3rd party packages this way, would really shine a bad light on TYPO3)

Back