8000 Documented dry run command does not check locked dependencies · Issue #66 · Roave/SecurityAdvisories · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Documented dry run command does not check locked dependencies #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pixelbrackets opened this issue Jul 28, 2020 · 8 comments
Closed

Documented dry run command does not check locked dependencies #66

pixelbrackets opened this issue Jul 28, 2020 · 8 comments
Assignees
@pixelbrackets
Labels
question

Comments

@pixelbrackets
Copy link
pixelbrackets commented Jul 28, 2020
edited
Loading

The README states that the following command is sufficient to manually trigger a security version check (see #59).

composer update --dry-run roave/security-advisories

This does not seem to work however.

I made an example repository (https://github.com/pixelbrackets/SecurityAdvisoriesTest/) with the TYPO3 CMS locked to version 10.4.5. The skeleton project has the core package »typo3/cms-core« as dependency. And I added »roave/security-advisories« as dependency as well.

composer show typo3/cms-core
name     : typo3/cms-core
descrip. : The core library of TYPO3.
keywords : 
versions : * v10.4.5

composer show roave/security-advisories
name     : roave/security-advisories
descrip. : Prevents installation of composer packages with known security vulnerabilities: no API, simply require it
keywords : 
versions : * dev-master

A new TYPO3 version 10.4.6, containing security fixes, was released today: https://packagist.org/packages/typo3/cms-core#v10.4.6

The version constraint is already merged into »roave/security-advisories«: https://github.com/Roave/SecurityAdvisories/blob/master/composer.json#L216

The given command should now return any kind of information, that 10.4.5 is not valid anymore. This is not the case however.

I use Composer version 1.10.9.
@Ocramius
Copy link
Member
Ocramius commented Jul 28, 2020
edited
Loading

Writing down reproducer so far (trying with composer v2, since that's what I got installed on my system at the moment):

mkdir /tmp/issue-66-example
cd /tmp/issue-66-example
echo "{}" > composer.json
composer require typo3/cms-core:10.4.5
composer require --dev roave/security-advisories:dev-master

Leads to:

./composer.json has been updated
Running composer update roave/security-advisories
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - typo3/cms-core is locked to version v10.4.5 and an update of this package was not requested.
    - typo3/cms-core v10.4.5 conflicts with roave/security-advisories dev-master.
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Use the option --with-all-dependencies to allow upgrades, downgrades and removals for packages currently locked to specific versions.

You are using a snapshot build of Composer 2, which may be the cause of the problem. Run `composer self-update --stable` and then try again. In case it solves the problem, please report an issue mentioning Composer 2.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

I then tried to add roave/security-advisories:dev-master manually by editing composer.json (note: I relaxed the typo3/cms-core dependency on purpose:

{
    "require": {
        "typo3/cms-core": "^10.4.5"
    },
    "require-dev": {
        "roave/security-advisories": "dev-master"
    }
}

Then:

composer update --dry-run roave/security-advisories

Leads to

Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - typo3/cms-core is locked to version v10.4.5 and an update of this package was not requested.
    - typo3/cms-core v10.4.5 conflicts with roave/security-advisories dev-master.
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Use the option --with-all-dependencies to allow upgrades, downgrades and removals for packages currently locked to specific versions.

You are using a snapshot build of Composer 2, which may be the cause of the problem. Run `composer self-update --stable` and then try again. In case it solves the problem, please report an issue mentioning Composer 2.

@Ocramius
Copy link
Member

The given command should now return any kind of information, that 10.4.5 is not valid anymore. This is not the case however.

I suggest:

  1. checking composer caching (possibly hitting stale cache)
  2. checking if the typo3/cms-core version in your composer.lock isn't already 10.4.6

@pixelbrackets
Copy link
Author
pixelbrackets commented Jul 28, 2020
edited
Loading

Hey, thanks for the super fast response.

I can not reproduce the error when I create a new repository with new dependencies. Since all dependencies are up to date on Packagist already, the installation will fail just as expected.

The situation described is: I created the repository 15 days ago and added all dependencies which were valid back then (see example commits in https://github.com/pixelbrackets/SecurityAdvisoriesTest/, TYPO3 was installed using composer create-project "typo3/cms-base-distribution:^10.4" . however). Running the example command was okay 15 days ago. Then today we have new version constraints. Running the example command should now return an error.

The composer.lock file still has 10.4.5, see https://github.com/pixelbrackets/SecurityAdvisoriesTest/blob/master/composer.lock#L3948.

I'll check for caches now.

@Ocramius
Copy link
Member

@pixelbrackets so if I check out pixelbrackets/SecurityAdvisoriesTest I should be able to reproduce the problem?

@pixelbrackets
Copy link
Author
pixelbrackets commented Jul 28, 2020
edited
Loading

@Ocramius Yes

@Ocramius
Copy link
Member

Just tried your repo:

cd /tmp
git clone git@github.com:pixelbrackets/SecurityAdvisoriesTest.git
cd SecurityAdvisoriesTest/
composer update --dry-run roave/security-advisories

Produces:

Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - typo3/cms-core is locked to version v10.4.5 and an update of this package was not requested.
    - typo3/cms-core v10.4.5 conflicts with roave/security-advisories dev-master.
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Use the option --with-all-dependencies to allow upgrades, downgrades and removals for packages currently locked to specific versions.

You are using a snapshot build of Composer 2, which may be the cause of the problem. Run `composer self-update --stable` and then try again. In case it solves the problem, please report an issue mentioning Composer 2.

Tried with composer/composer:^1:

composer self-update --1
Upgrading to version 1.10.9 (1 channel).
   
Use composer self-update --rollback to return to version 2.0.0-alpha2

Then:

composer update --dry-run roave/security-advisories

Does not work as expected, as it installs everything:

Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 88 installs, 0 updates, 0 removals
  - Installing typo3/cms-composer-installers (v3.0.1)
  - Installing typo3/class-alias-loader (v1.1.3)
  - Installing helhum/config-loader (v0.12.2)
  - Installing symfony/polyfill-php80 (v1.17.1)
  - Installing symfony/process (v4.4.10)
  - Installing psr/container (1.0.0)
  - Installing symfony/service-contracts (v1.1.9)
  - Installing psr/cache (1.0.1)
  - Installing symfony/polyfill-php73 (v1.17.1)
  - Installing symfony/polyfill-mbstring (v1.17.1)
  - Installing symfony/polyfill-ctype (v1.17.1)
  - Installing symfony/console (v4.4.10)
  - Installing doctrine/lexer (1.2.1)
  - Installing doctrine/annotations (1.10.3)
  - Installing typo3fluid/fluid (2.6.9)
  - Installing typo3/phar-stream-wrapper (v3.1.5)
  - Installing typo3/cms-cli (2.0.0)
  - Installing symfony/yaml (v4.4.10)
  - Installing symfony/routing (v4.4.10)
  - Installing symfony/polyfill-php72 (v1.17.0)
  - Installing symfony/polyfill-intl-idn (v1.17.1)
  - Installing symfony/polyfill-intl-icu (v1.17.1)
  - Installing symfony/intl (v4.4.10)
  - Installing symfony/mime (v4.4.10)
  - Installing symfony/event-dispatcher-contracts (v1.1.9)
  - Installing symfony/event-dispatcher (v4.4.10)
  - Installing psr/log (1.1.3)
  - Installing egulias/email-validator (2.1.18)
  - Installing psr/event-dispatcher (1.0.0)
  - Installing symfony/mailer (v4.4.10)
  - Installing symfony/http-foundation (v4.4.10)
  - Installing symfony/finder (v4.4.10)
  - Installing symfony/var-exporter (v4.4.10)
  - Installing symfony/cache-contracts (v1.1.9)
  - Installing symfony/cache (v4.4.10)
  - Installing symfony/expression-language (v4.4.10)
  - Installing symfony/dependency-injection (v4.4.10)
  - Installing symfony/filesystem (v4.4.10)
  - Installing symfony/config (v4.4.10)
  - Installing psr/http-message (1.0.1)
  - Installing psr/http-server-handler (1.0.1)
  - Installing psr/http-server-middleware (1.0.1)
  - Installing psr/http-factory (1.0.1)
  - Installing psr/http-client (1.0.1)
  - Installing nikic/php-parser (v4.6.0)
  - Installing ralouphie/getallheaders (3.0.3)
  - Installing guzzlehttp/psr7 (1.6.1)
  - Installing guzzlehttp/promises (v1.3.1)
  - Installing guzzlehttp/guzzle (6.5.5)
  - Installing doctrine/instantiator (1.3.1)
  - Installing doctrine/event-manager (1.1.0)
  - Installing doctrine/cache (1.10.2)
  - Installing doctrine/dbal (2.10.2)
  - Installing cogpowered/finediff (0.3.1)
  - Installing typo3/cms-core (v10.4.5)
  - Installing symfony/inflector (v4.4.10)
  - Installing symfony/property-info (v4.4.10)
  - Installing symfony/property-access (v4.4.10)
  - Installing phpdocumentor/reflection-common (2.2.0)
  - Installing phpdocumentor/type-resolver (1.3.0)
  - Installing webmozart/assert (1.9.1)
  - Installing phpdocumentor/reflection-docblock (5.1.0)
  - Installing typo3/cms-extbase (v10.4.5)
  - Installing typo3/cms-fluid (v10.4.5)
  - Installing typo3/cms-install (v10.4.5)
  - Installing typo3/cms-frontend (v10.4.5)
  - Installing typo3/cms-extensionmanager (v10.4.5)
  - 
8000
Installing typo3/cms-recordlist (v10.4.5)
  - Installing typo3/cms-backend (v10.4.5)
  - Installing helhum/typo3-console (v6.3.2)
  - Installing typo3/cms-about (v10.4.5)
  - Installing typo3/cms-belog (v10.4.5)
  - Installing typo3/cms-beuser (v10.4.5)
  - Installing roave/security-advisories (dev-master 881b9e4)
  - Installing typo3/cms-dashboard (v10.4.5)
  - Installing typo3/cms-felogin (v10.4.5)
  - Installing typo3/cms-filelist (v10.4.5)
  - Installing typo3/cms-fluid-styled-content (v10.4.5)
  - Installing typo3/cms-form (v10.4.5)
  - Installing typo3/cms-impexp (v10.4.5)
  - Installing typo3/cms-info (v10.4.5)
  - Installing typo3/cms-rte-ckeditor (v10.4.5)
  - Installing typo3/cms-seo (v10.4.5)
  - Installing typo3/cms-setup (v10.4.5)
  - Installing typo3/cms-sys-note (v10.4.5)
  - Installing typo3/cms-t3editor (v10.4.5)
  - Installing typo3/cms-tstemplate (v10.4.5)
  - Installing typo3/cms-viewpage (v10.4.5)
helhum/config-loader suggests installing ext-yaml (For improved performance when parsing yaml files you should use the PECL YAML Parser php extension)
symfony/console suggests installing symfony/lock
symfony/event-dispatcher suggests installing symfony/http-kernel
symfony/dependency-injection suggests installing symfony/proxy-manager-bridge (Generate service proxies to lazy load them)
guzzlehttp/psr7 suggests installing zendframework/zend-httphandlerrunner (Emit PSR-7 responses)
doctrine/cache suggests installing alcaeus/mongo-php-adapter (Required to use legacy MongoDB driver)
symfony/property-info suggests installing symfony/doctrine-bridge (To use Doctrine metadata)
symfony/property-info suggests installing symfony/serializer (To use Serializer metadata)
typo3/cms-extbase suggests installing typo3/cms-scheduler (Additional scheduler tasks)
typo3/cms-frontend suggests installing typo3/cms-adminpanel (Provides additional information and functionality for backend users in the frontend.)
35 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

I think you may have found a bug in SAT in composer/composer:^1

@pixelbrackets
Copy link
Author
pixelbrackets commented Jul 28, 2020
edited
Loading

Oh, thanks for the test with different Composer versions. Can confirm this behaviour, Composer version 1 does not work as expected, version 2 will work as expected. I will open an Issue on Composer and reference this issue.

Edit: Issue composer/composer#9082

@Ocramius
Copy link
Member

Thanks! I'll close it here meanwhile.

Should we need adjustments to README.md (including suggestion to use composer/composer:^2), please do open a new PR or issue.

@pixelbrackets pixelbrackets mentioned this issue Jul 28, 2020
Closed
pixelbrackets added a commit to pixelbrackets/SecurityAdvisories that referenced 8000 this issue Aug 13, 2021
@pixelbrackets
[FEATURE] Clarify usage
2905adf 
Split installation and usage description.

Extend description how the package works and when it works.

Explain need for Composer 2 in manual version checks (see Roave#66)

Refs Roave#66
pixelbrackets added a commit to pixelbrackets/SecurityAdvisories that referenced this issue Aug 13, 2021
@pixelbrackets
[FEATURE] Clarify usage
5856c0d 
Split installation and usage description.

Extend description how the package works and when it works.

Explain need for Composer 2 in manual version checks (see Roave#66)

Refs Roave#66
pixelbrackets added a commit to pixelbrackets/SecurityAdvisories that referenced this issue Aug 13, 2021
@pixelbrackets
[FEATURE] Clarify usage
f6dcd13 
Split installation and usage description.

Extend description how the package works and when it works.

Explain need for Composer 2 in manual version checks (see Roave#66)

Refs Roave#66
pixelbrackets added a commit to pixelbrackets/SecurityAdvisories that referenced this issue Aug 13, 2021
@pixelbrackets
Clarify package usage
207a9df 
Split installation and usage description.

Extend description how the package works and when it runs.

Explain need for Composer 2 in manual version checks (see Roave#66)

Refs Roave#66
@pixelbrackets pixelbrackets mentioned this issue Aug 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pixelbrackets pixelbrackets

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ocramius @pixelbrackets
0