Was 9.9.99 removed on purpose?

[bobdenotter]

Hi,

Several packages (like https://github.com/nelmio/NelmioCorsBundle) have a hard dependency like this:

"paragonie/random_compat": "~1.0|~2.0|9.99.99",

They can't be installed anymore:

$ composer require nelmio/security-bundle

Using version ^2.10 for nelmio/security-bundle
./composer.json has been updated
Loading composer repositories with package information
Warning from https://repo.packagist.org: You are using an outdated version of Composer. Composer 2.0 is about to be released and the older 1.x releases will self-update directly to it once it is released. To avoid surprises update now to the latest 1.x version which will prompt you before self-updating to 2.x.
Updating dependencies (including require-dev)
Restricting packages listed in "symfony/symfony" to "^5.1"
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - nelmio/security-bundle v2.10.0 requires paragonie/random_compat ~1.0|~2.0|9.99.99 -> satisfiable by paragonie/random_compat[1.0.10, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, v1.0.0, v1.0.1, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.3.0, v1.3.1, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.x-dev, v2.0.0, v2.0.1, v2.0.10, v2.0.11, v2.0.12, v2.0.13, v2.0.14, v2.0.15, v2.0.16, v2.0.17, v2.0.18, v2.0.19, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7, v2.0.8, v2.0.9, v9.99.99].
    - nelmio/security-bundle v2.10.1 requires paragonie/random_compat ~1.0|~2.0|9.99.99 -> satisfiable by paragonie/random_compat[1.0.10, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, v1.0.0, v1.0.1, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.3.0, v1.3.1, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.x-dev, v2.0.0, v2.0.1, v2.0.10, v2.0.11, v2.0.12, v2.0.13, v2.0.14, v2.0.15, v2.0.16, v2.0.17, v2.0.18, v2.0.19, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7, v2.0.8, v2.0.9, v9.99.99].
    - paragonie/random_compat 1.0.10 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.2 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.3 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.4 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.5 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.6 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.7 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.8 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.0.9 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.2 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.3 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.4 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.5 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat 1.1.6 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.0.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.0.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.2.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.2.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.2.2 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.2.3 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.3.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.3.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.4.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.4.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.4.2 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.4.3 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v1.x-dev conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.0 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.1 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.10 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.11 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.12 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.13 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.14 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.15 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.16 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.17 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.18 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.19 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.2 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.3 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.4 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.5 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.6 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.7 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.8 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v2.0.9 conflicts with __root__[No version set (parsed as 1.0.0)].
    - paragonie/random_compat v9.99.99 conflicts with __root__[No version set (parsed as 1.0.0)].
    - Installation request for __root__ No version set (parsed as 1.0.0) -> satisfiable by __root__[No version set (parsed as 1.0.0)].
    - Installation request for nelmio/security-bundle ^2.10 -> satisfiable by nelmio/security-bundle[v2.10.0, v2.10.1].


Installation failed, reverting ./composer.json to its original content.

[jdreesen]

Seems like the tag is still available on GitHub and Packagist.

There's probably something else wrong in your composer.json.

/edit: the error message even mentions the v9.99.99 as not applicable, which won't be the case if it had been removed.

[jdreesen]

Do you have "paragonie/random_compat": "*" in your composer.json's replace section?

If so: try to replace it with "paragonie/random_compat": "2.*" or remove it entirely (v9.99.* are no-op packages).

[glensc]

there's also v9.99.100 tag:

• https://packagist.org/packages/paragonie/random_compat#v9.99.100
• https://github.com/paragonie/random_compat/releases/tag/v9.99.100

[bobdenotter]

@glensc I know there is, but because several packages (like https://github.com/nelmio/NelmioCorsBundle) have a hard dependency like this:

"paragonie/random_compat": "~1.0|~2.0|9.99.99", 

It can not install it.

[bobdenotter]

Hi @jdreesen,

There's probably something else wrong in your composer.json.

Well, our composer.json has no reference to this package at all. It's other packages that require it, that we require, so we have no direct dependency on it. So, i don't think it's our composer.json that necesarily has something wrong.

/edit: the error message even mentions the v9.99.99 as not applicable, which won't be the case if it had been removed.

That is weird, though.

Do you have "paragonie/random_compat": "*" in your composer.json's replace section?

If so: try to replace it with "paragonie/random_compat": "2.*"

I've tried, but no dice:

  Problem 1
    - bolt/core dev-master conflicts with roave/security-advisories[dev-master].
    - roave/security-advisories dev-master conflicts with bolt/core[dev-master].
    - roave/security-advisories dev-master conflicts with bolt/core[dev-master].
    - Installation request for bolt/core dev-master -> satisfiable by bolt/core[dev-master].
    - Installation request for roave/security-advisories dev-master@dev -> satisfiable by roave/security-advisories[dev-master].

or remove it entirely (v9.99.* are no-op packages).

I would if i could, but it's other packages requiring it.

I've also opened an issue on the other end, but it seems like it's not maintained actively: nelmio/NelmioSecurityBundle#236

[glensc]

@bobdenotter perhaps the original problem is resolved (missing tag restored), or there's something in your existing composer dependencies causing conflict that 9.99.99 won't be picked. as installing to a blank repository with PHP 7.3 works okay. thus, provide an actual reproducer of the problem (and try it yourself), perhaps publish it to gist.

mkdir random-compat-167
cd random-compat-167
composer require nelmio/security-bundle

➔ composer show|grep -E 'paragonie/random_compat|nelmio/security-bundle'
nelmio/security-bundle             v2.10.1  Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cook...
paragonie/random_compat            v9.99.99 PHP 5.x polyfill for random_bytes() and random_int() from PHP 7
➔

altho using strict dependency like "9.99.99" is calling for problems like this, so downstream project needs to be fixed.

but then again it's this project fault for suggestion such use-case in the project readme:

• https://github.com/paragonie/random_compat/blob/446fc9faa5c2a9ddf65eb7121c0af7e857295241/README.md#version-99999

EDIt: the project readme doesn't actually say to use exactly "9.99.99" in dependencies, but only in "replaces", altho now that 9.99.100 is released, that recommendation is also invalid. perhaps the new value should be "replaces: 9.99.999", so this project has room to make 101-998 releases?

[bobdenotter]

Hi @glensc,

perhaps the original problem is resolved (missing tag restored)

That looks like it worked! Thanks. In the sense that I can now run composer req nelmio/security-bundle.

altho using strict dependency like "9.99.99" is calling for problems like this, so downstream project needs to be fixed.

Yes, I agree 100%. :-)

[mshannaq]

if you're using PHP 8.1, you can utilize the random_bytes() function provided by PHP's core random extension to generate cryptographically secure random bytes. This function is available starting from PHP 7.0 and is recommended for generating random data in PHP. and so you do not need to use random_compat for that.

$randomKey = random_bytes(32); // 32 bytes = 256 bits
instead of
$randomKey = Random::bytes(32); // 32 bytes = 256 bits

[paragonie-security]

Did you post this in the wrong repository? Which project hasRandom::bytes() defined?