New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP 8.2 compatibility: upgrade webmozarts/assert to 1.11.0 #5169
Conversation
The Unish\SecurityUpdatesTest::testNoInsecureProductionPhpPackage failure usually goes away if you just run a general |
@greg-1-anderson is it ok to update all dependencies? |
Its OK, but there is a chance your PR will need a reroll if #5165 gets in first. That also updates all. |
Than would be great to create new releases for Consolidation components and reroll this one |
Merged the consolidation PRs; will make releases in a bit. |
Also, I'm pretty sure that the composer.lock changes in #5165 are only to avoid the Unish\SecurityUpdatesTest::testNoInsecureProductionPhpPackage failure. If we merge this one first, then we can reroll the archive commands without a composer.lock change. |
Tagged |
Kind of odd that only the highest test is failing in testNoInsecureProductionPhpPackage. Didn't look into why that is; perhaps we can merge this anyway, and investigate that later? |
That highest test installs core-recommended:10.0.x-dev and then we run a security check against that and find that guzzlehttp/guzzle is insecure. I'm not sure why. Exploring that in #5171. |
Composer is getting us guzzle 7.4.4 which is insecure. I would think we would be getting 7.4.5.
I'm OK with merging this PR and will do so in a day or two barring any negative comments. |
I see whats happenning https://github.com/drupal/core-recommended/blob/b7b0bc4cb7105bb329a2ec9a57c612607ec22744/composer.json#L18 is pinning us via a psr7 dependency. See https://www.drupal.org/project/drupal/issues/3291780 |
Part of #5168 (comment)