Task #103082
Updated by Benjamin Franzke 3 months ago
The so called "death star" Change death star range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries self.version for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements needs to be adapted to use the more precise following self.version qualifier to avoid matching named security advisories as suggested by: https://github.com/Roave/SecurityAdvisories/issues/127#issuecomment-1933647035 packages that have been integrated into typo3/cms-core. [1] https://getcomposer.org/doc/04-schema.md#replace [2] https://github.com/advisories/GHSA-cgr9-h9qq-x9fx See https://github.com/Roave/SecurityAdvisories/issues/127