Closed
Description
Drupal 8.6.2
Drush 9.5.2
Looking at https://github.com/drupal-composer/drupal-security-advisories/blob/8.x/composer.json, here's three modules with insecure versions:
"conflict": {
"drupal/acquia_contenthub": "<1.0,<1.4",
...
"drupal/ds": "<2.7,<3.0",
...
"drupal/jsonapi": "<1.9,<1.10,<1.14,<1.16,<1.24,<2.0-rc4",This package prevents installing insecure versions of the first two, but not for drupal/jsonapi.
Demo
Install
$ composer require drupal-composer/drupal-security-advisories:8.x-dev
1/1: https://packages.drupal.org/8/drupal/provider-2018-4$a61ccb51d6803b735c3d76aa432c311ddd71f8204fc00e31195c4b3850d40dcd.json
Finished: success: 1, skipped: 0, failure: 0, total: 1
1/6: http://repo.packagist.org/p/provider-latest$8b008b9e1c52779ab8fd94ac6d1ddfedd0d7bbbdb9860b529b05e6262a27048b.json
2/6: http://repo.packagist.org/p/provider-2018$f41ad57c1f6d56528ce5748c9ff4be7be718496868ec77f2288af0e4b651e17d.json
3/6: http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
4/6: http://repo.packagist.org/p/provider-2018-07$0e729e9dbdd73b16ab3cd794a225dd4d9071d950483181fdeaa4a55a4f148047.json
5/6: http://repo.packagist.org/p/provider-2018-10$bec2a0a105145564e32fc6ef746ebd540433d6a660f549297d3ea999e3876be3.json
6/6: http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
Finished: success: 6, skipped: 0, failure: 0, total: 6
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 0 updates, 1 removal
- Removing drupal/jsonapi (1.23.0)
Deleting docroot/modules/contrib/jsonapi - deleted
Generating autoload filesCorrectly prevents insecure install
$ composer require 'drupal/acquia_contenthub:1.3'
1/2: https://packages.drupal.org/8/drupal/provider-2018-4$00245c276cfe524b6b0aa708fb68200ede3b74ea02c63eb4007f90c54b513736.json
2/2: https://packages.drupal.org/8/drupal/provider-2019-1$f15d2f9a3bd815dfad083d90557803aa1a46ab9e72deadf1e9fe713a7f61c37c.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
1/7: http://repo.packagist.org/p/provider-latest$e802437252ac204e63320fb692aa0049f191adfe826b975c1663d2daf5e2ef3c.json
2/7: http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
3/7: http://repo.packagist.org/p/provider-2018$52b471ed75985c54e4108088a3cf35236da2765d60bf2d6b224bdf425f1abc71.json
4/7: http://repo.packagist.org/p/provider-2018-07$e26e5dad35649ca5fabeab9f9454e60164017d81b0911522b7335bc0a23249a1.json
5/7: http://repo.packagist.org/p/provider-2018-10$b0feb1d58346c505da5ae7cda4d50b6a819399866503b8cfa921787b3c6addd2.json
6/7: http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
7/7: http://repo.packagist.org/p/provider-2016$3ebaeca74c4c7ef4af1a514ff3eb3354e8ecec97331eec58b40a9e7adac03202.json
Finished: success: 7, skipped: 0, failure: 0, total: 7
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.
Problem 1
- drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
- drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
- Installation request for drupal/acquia_contenthub 1.3 -> satisfiable by drupal/acquia_contenthub[1.3.0].
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to your minimum-stability setting
see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
- It's a private package and you forgot to add a custom repository to find it
Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.
Installation failed, reverting ./composer.json to its original content.Correctly prevents insecure install
$ composer require 'drupal/ds:2.6'
1/1: https://packages.drupal.org/8/drupal/provider-2019-1$3f231306589fb84ccba9b3b5a171827af1a84bc46487147582bd49afeb7b6e0b.json
Finished: success: 1, skipped: 0, failure: 0, total: 1
1/5: http://repo.packagist.org/p/provider-latest$4540a197e56286f08d8f79c96097640279d1f706d3096730a45787cb7b2a6d21.json
2/5: http://repo.packagist.org/p/provider-2018-04$b4158682ed5588732bab4286ac3bb91a40dd7131367c4c2d0d6a882ce97a1162.json
3/5: http://repo.packagist.org/p/provider-2018$eb2ececaf43cfba88cd840307ef1b0aa8e3851840fe22ec79ebbd730b0f9fc2e.json
4/5: http://repo.packagist.org/p/provider-2018-07$2c2d1aa78b29509d891d23fce313833bb64919b296e15435b7e4091d1a42c26d.json
5/5: http://repo.packagist.org/p/provider-2018-10$c0eb49eb0ede88abe51609a1a94d0f3234ce2756f2cce475c001f9d41f96cb8c.json
Finished: success: 5, skipped: 0, failure: 0, total: 5
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Conclusion: remove drupal-composer/drupal-security-advisories 8.x-dev
- Conclusion: don't install drupal-composer/drupal-security-advisories 8.x-dev
- drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
- drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
- Installation request for drupal-composer/drupal-security-advisories 8.x-dev -> satisfiable by drupal-composer/drupal-security-advisories[8.x-dev].
- Installation request for drupal/ds 2.6 -> satisfiable by drupal/ds[2.6.0].
Installation failed, reverting ./composer.json to its original content.Incorrectly allows insecure install
$ composer require 'drupal/jsonapi:1.23'
1/2: http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
2/2: http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
1/2: http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
2/2: http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
- Installing drupal/jsonapi (1.23.0): Loading from cache
Writing lock file
Generating autoload filesIncorrectly allows insecure install
$ composer require 'drupal/jsonapi:1.20'
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
- Downgrading drupal/jsonapi (1.23.0 => 1.20.0): Loading from cache
Writing lock file
Generating autoload filesAm I missing something, or is this a bug?
Thank you!
Metadata
Metadata
Assignees
Labels
No labels