Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

ohader · 2024-02-08T08:40:00Z

Description

The package typo3/cms-saltedpasswords <0.2.13 suddenly is marked as insecure and blocks the installation the typo3/cms-core package (due to having a replaces declaration for typo3/cms-saltedpasswords: * in typo3/cms-core).

Observation

A bunch of changes were committed recently to roave/security-advisories - where the conflict declaration does not match with the actual original commit in sensiolabs/security-advisories, for instance:

5801157
changes conflict for typo3/cms-saltedpasswords, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)
b5487e1
changes conflict for typo3/cms-frontend, typo3/cms-backend and typo3/cms-install, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)
1692fcb
changes conflict for typo3/cms-frontend, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)

CLI commands used to reproduce the behavior

composer req --dev roave/security-advisories:dev-latest

./composer.json has been created
Running composer update roave/security-advisories
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking roave/security-advisories (dev-latest b5487e1)
[...]

composer req typo3/cms-core:^12.4

./composer.json has been updated
Running composer update typo3/cms-core
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.7.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.6.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.5.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.3.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.2.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.1.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.0.
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.10 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.9 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.8 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
    - Root composer.json requires typo3/cms-core ^12.4 -> satisfiable by typo3/cms-core[v12.4.0, ..., v12.4.10].

The text was updated successfully, but these errors were encountered:

Ocramius · 2024-02-08T09:11:37Z

See:

Issues/451 Add advisory information to a commit messages SecurityAdvisoriesBuilder#459
Include advisory source in new security advisory commits SecurityAdvisoriesBuilder#451

This repo only tracks the advisories: check https://github.com/advisories for the latest updates.

Ocramius · 2024-02-08T09:14:00Z

typo3/cms-core should not replace with a deathstar range there: self.version or something more precise should be used to avoid affected version ranges.

ohader · 2024-02-09T11:24:53Z

For the records: A recent change at GitHub "hallucinated" a Composer package, which caused this behavior (side-note: the original advisory was from 2010, Composer was established in 2012 - two years later).
→ GitHub advisory change: github/advisory-database@b403b05

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82841 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863 Tested-by: Oliver Klee <[email protected]> Tested-by: Oliver Hader <[email protected]> Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Oliver Klee <[email protected]> Reviewed-by: Oliver Hader <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82874 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82873 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82841 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863 Tested-by: Oliver Klee <[email protected]> Tested-by: Oliver Hader <[email protected]> Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Oliver Klee <[email protected]> Reviewed-by: Oliver Hader <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82874 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82873 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>

Ocramius closed this as completed Feb 8, 2024

Ocramius added the question label Feb 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

ohader commented Feb 8, 2024 •

edited

Loading

Ocramius commented Feb 8, 2024

Ocramius commented Feb 8, 2024

ohader commented Feb 9, 2024

Unrelated conflict changes (typo3/cms-* vs. mediawiki/semantic-media-wiki) #127

Unrelated conflict changes (typo3/cms-* vs. mediawiki/semantic-media-wiki) #127

Comments

ohader commented Feb 8, 2024 • edited Loading

Description

Observation

CLI commands used to reproduce the behavior

Ocramius commented Feb 8, 2024

Ocramius commented Feb 8, 2024

ohader commented Feb 9, 2024

Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`) #127

ohader commented Feb 8, 2024 •

edited

Loading