Incorrect conflict line allows installations of insecure Drupal core versions #21
Comments
|
I'm experiencing the same issue with Drupal core 8.8.5. I only got a conflict when I installed https://github.com/Roave/SecurityAdvisories where the rule is |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed today that I am able to install known-insecure versions of Drupal. Here's the basic
composer.json:{ "require": { "drupal-composer/drupal-security-advisories": "8.x-dev", "drupal/core": "8.8.3" } }And here's the steps that created that file and installed 8.8.3:
$ composer require drupal-composer/drupal-security-advisories:8.x-dev ./composer.json has been created Loading composer repositories with package information Updating dependencies (including require-dev) Package operations: 1 install, 0 updates, 0 removals - Installing drupal-composer/drupal-security-advisories (8.x-dev 413d689) Writing lock file Generating autoload files $ composer require drupal/core:8.8.3 1/2: http://repo.packagist.org/p/provider-latest$d5afd90b02bfbb6d8156c98fadffd5a4b6dcad75f12e2ae09a0f3dd542122f0b.json 2/2: http://repo.packagist.org/p/provider-2020-01$f68a8a70594e85cc5d3310b12ad04413d62ea226078a785ee9727918e5c444f2.json Finished: success: 2, skipped: 0, failure: 0, total: 2 ./composer.json has been updated Loading composer repositories with package information Updating dependencies (including require-dev) 1/1: https://codeload.github.com/drupal/core/legacy.zip/77971de6d6ade7366cdd3fadfc16c5d02e531446 Finished: success: 1, skipped: 0, failure: 0, total: 1 Package operations: 57 installs, 0 updates, 0 removals - Installing pear/pear_exception (v1.0.1): Loading from cache - Installing pear/console_getopt (v1.4.3): Loading from cache - Installing pear/pear-core-minimal (v1.10.10): Loading from cache - Installing pear/archive_tar (1.4.9): Loading from cache - Installing psr/log (1.1.3): Loading from cache - Installing symfony/polyfill-ctype (v1.17.0): Loading from cache - Installing symfony/polyfill-mbstring (v1.17.0): Loading from cache - Installing symfony/polyfill-php72 (v1.17.0): Loading from cache - Installing symfony/polyfill-intl-idn (v1.17.0): Loading from cache - Installing symfony/debug (v4.4.8): Loading from cache - Installing psr/container (1.0.0): Loading from cache - Installing symfony/polyfill-util (v1.17.0): Loading from cache - Installing symfony/polyfill-php56 (v1.17.0): Loading from cache - Installing paragonie/random_compat (v9.99.99): Loading from cache - Installing symfony/polyfill-php70 (v1.17.0): Loading from cache - Installing symfony/http-foundation (v3.4.40): Loading from cache - Installing symfony/event-dispatcher (v3.4.40): Loading from cache - Installing symfony/http-kernel (v3.4.40): Loading from cache - Installing asm89/stack-cors (1.3.0): Loading from cache - Installing composer/semver (1.5.1): Loading from cache - Installing psr/http-message (1.0.1): Loading from cache - Installing zendframework/zend-diactoros (1.8.7): Loading from cache - Installing symfony/psr-http-message-bridge (v1.2.0): Loading from cache - Installing masterminds/html5 (2.7.0): Loading from cache - Installing doctrine/lexer (1.2.0): Loading from cache - Installing egulias/email-validator (2.1.17): Loading from cache - Installing stack/builder (v1.0.6): Loading from cache - Installing zendframework/zend-stdlib (3.2.1): Loading from cache - Installing zendframework/zend-escaper (2.6.1): Loading from cache - Installing zendframework/zend-feed (2.12.0): Loading from cache - Installing easyrdf/easyrdf (0.9.1): Loading from cache - Installing symfony/routing (v3.4.40): Loading from cache - Installing symfony-cmf/routing (1.4.1): Loading from cache - Installing ralouphie/getallheaders (3.0.3): Loading from cache - Installing guzzlehttp/psr7 (1.6.1): Loading from cache - Installing guzzlehttp/promises (v1.3.1): Loading from cache - Installing guzzlehttp/guzzle (6.5.3): Loading from cache - Installing doctrine/annotations (1.10.2): Loading from cache - Installing doctrine/reflection (1.2.1): Loading from cache - Installing doctrine/event-manager (1.1.0): Loading from cache - Installing doctrine/collections (1.6.4): Loading from cache - Installing doctrine/cache (1.10.0): Loading from cache - Installing doctrine/persistence (1.3.7): Loading from cache - Installing doctrine/inflector (1.4.1): Loading from cache - Installing doctrine/common (2.13.0): Loading from cache - Installing twig/twig (v1.42.5): Loading from cache - Installing typo3/phar-stream-wrapper (v3.1.4): Loading from cache - Installing symfony/yaml (v3.4.40): Loading from cache - Installing symfony/polyfill-iconv (v1.17.0): Loading from cache - Installing symfony/process (v3.4.40): Loading from cache - Installing symfony/translation (v3.4.40): Loading from cache - Installing symfony/validator (v3.4.40): Loading from cache - Installing symfony/serializer (v3.4.40): Loading from cache - Installing symfony/dependency-injection (v3.4.40): Loading from cache - Installing symfony/console (v3.4.40): Loading from cache - Installing symfony/class-loader (v3.4.40): Loading from cache - Installing drupal/core (8.8.3): Loading from cache pear/archive_tar suggests installing ext-xz (Lzma2 compression support.) paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.) symfony/http-kernel suggests installing symfony/browser-kit symfony/http-kernel suggests installing symfony/config symfony/http-kernel suggests installing symfony/finder symfony/http-kernel suggests installing symfony/var-dumper symfony/psr-http-message-bridge suggests installing nyholm/psr7 (For a super lightweight PSR-7/17 implementation) zendframework/zend-feed suggests installing zendframework/zend-cache (Zend\Cache component, for optionally caching feeds between requests) zendframework/zend-feed suggests installing zendframework/zend-db (Zend\Db component, for use with PubSubHubbub) zendframework/zend-feed suggests installing zendframework/zend-http (Zend\Http for PubSubHubbub, and optionally for use with Zend\Feed\Reader) zendframework/zend-feed suggests installing zendframework/zend-servicemanager (Zend\ServiceManager component, for easily extending ExtensionManager implementations) zendframework/zend-feed suggests installing zendframework/zend-validator (Zend\Validator component, for validating email addresses used in Atom feeds and entries when using the Writer subcomponent) easyrdf/easyrdf suggests installing ml/json-ld (~1.0) symfony/routing suggests installing symfony/config (For using the all-in-one router or any loader) symfony/routing suggests installing symfony/expression-language (For using expression matching) guzzlehttp/psr7 suggests installing zendframework/zend-httphandlerrunner (Emit PSR-7 responses) doctrine/cache suggests installing alcaeus/mongo-php-adapter (Required to use legacy MongoDB driver) symfony/translation suggests installing symfony/config symfony/validator suggests installing psr/cache-implementation (For using the metadata cache.) symfony/validator suggests installing symfony/intl symfony/validator suggests installing symfony/config symfony/validator suggests installing symfony/property-access (For accessing properties within comparison constraints) symfony/validator suggests installing symfony/expression-language (For using the Expression validator) symfony/serializer suggests installing psr/cache-implementation (For using the metadata cache.) symfony/serializer suggests installing symfony/property-info (To deserialize relations.) symfony/serializer suggests installing symfony/config (For using the XML mapping loader.) symfony/serializer suggests installing symfony/property-access (For using the ObjectNormalizer.) symfony/dependency-injection suggests installing symfony/config symfony/dependency-injection suggests installing symfony/finder (For using double-star glob patterns or when GLOB_BRACE portability is required) symfony/dependency-injection suggests installing symfony/expression-language (For using expressions in service container configuration) symfony/dependency-injection suggests installing symfony/proxy-manager-bridge (Generate service proxies to lazy load them) symfony/console suggests installing symfony/lock symfony/class-loader suggests installing symfony/polyfill-apcu (For using ApcClassLoader on HHVM) Package zendframework/zend-diactoros is abandoned, you should avoid using it. Use laminas/laminas-diactoros instead. Package zendframework/zend-stdlib is abandoned, you should avoid using it. Use laminas/laminas-stdlib instead. Package zendframework/zend-escaper is abandoned, you should avoid using it. Use laminas/laminas-escaper instead. Package zendframework/zend-feed is abandoned, you should avoid using it. Use laminas/laminas-feed instead. Writing lock file Generating autoload files 24 packages you are using are looking for funding. Use the `composer fund` command to find out more!The conflict line in
composer.lockcurrently is:It looks like the problem occurs as soon as there is a constraint that is less than the selected version.
Allows 8.8.3, while:
does not.
Luckily
drush pm:securitydoes pick up the SA, so I imagine most Drupal users are not unknowingly running insecure versions.I think the problem is the use of a straight
andin conflict, as noted in the composer docs. I get the correct behaviour with:"drupal/core": "<8.7.14 || >8.8.0 <8.8.6"which allows 8.7.14 and 8.8.6, but nothing else.
The text was updated successfully, but these errors were encountered: