You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like that updating a site with
simplesamlphp/simplesamlphp at version greater than 1.19.0
with composer update -w or -W (i.e. updating with dependencies)
results in a downgrade to 1.19.0 instead of an upgrade to the latest secure version!
I think I've traced this back to 1.19.1 adds a requirement for
"simplesamlphp/assert": "^0.0.13", 6dcd5b4
"^0.0.13" restricts us to versions of assert below 0.1.0.
Would it be possible to loosen this requirement to allow versioning that matches what is required in simplesamlphp/composer-module-installer on the 1.9.x branch.
In the site where I hit this issue I'm getting this module via
drupalauth/simplesamlphp-module-drupalauth
which simply requires the following:
Note for anyone else hitting the issue the work around to get the latest version of simplesamlphp is to restrict the upgrade of simplesamlphp/composer-module-installer to version 1.3.0 by including this as a hard constraint in composer.json -
Alternatively if you need a more recent version of composer-module-installer you could try including simplesamlphp/assert latest version and alias to the 0.8 version.
The text was updated successfully, but these errors were encountered:
I probably wouldn't be super worried about this apart from the fact that without a resolution it is easy to loose or not get the security updates released in 1.19.8 and 1.19.1.
I guess the most relevant one here is 1.19.1 as the update to 1.19.8 would be presumably be enforced by Drupal Core requirements as well given it would be unlikely for you to have drupalauth/simplesamlphp-module-drupalauth wihout Drupal Core.
It looks like that updating a site with
simplesamlphp/simplesamlphp at version greater than 1.19.0
with composer update -w or -W (i.e. updating with dependencies)
results in a downgrade to 1.19.0 instead of an upgrade to the latest secure version!
I think I've traced this back to 1.19.1 adds a requirement for
"simplesamlphp/assert": "^0.0.13",
6dcd5b4
However https://github.com/simplesamlphp/composer-module-installer/pull/21/files
adds a requirement for
"simplesamlphp/assert": "^0.8.0"
"^0.0.13" restricts us to versions of assert below 0.1.0.
Would it be possible to loosen this requirement to allow versioning that matches what is required in simplesamlphp/composer-module-installer on the 1.9.x branch.
In the site where I hit this issue I'm getting this module via
drupalauth/simplesamlphp-module-drupalauth
which simply requires the following:
Note for anyone else hitting the issue the work around to get the latest version of simplesamlphp is to restrict the upgrade of simplesamlphp/composer-module-installer to version 1.3.0 by including this as a hard constraint in composer.json -
Alternatively if you need a more recent version of composer-module-installer you could try including simplesamlphp/assert latest version and alias to the 0.8 version.
The text was updated successfully, but these errors were encountered: