cakephp
cakephp copied to clipboard
cakephp
Breaking change cakephp/database
Description
Hey,
I noticed a breaking change in the upgrade of cakephp/database. Composer audit notified me of a CVE in the lib. I updated the package which gave me the 4.5.4 one in my composer.lock.
This results in my app giving exceptions on missing WRITE_ALL constants. This indicates for me that there is a breaking change since this bump is a minor.
After update cakephp/orm to 4.5.4 as well the issue is resolved. This indicates for me that the constraints are not really ok here since it is an independent package.
I understand that you cant revert stuff and cant do anything about it. But i think it is good to raise this to let you know.
Best Pim
CakePHP Version
4.4.x
PHP Version
8.1
There's no WRITE_ALL constant in either cakephp/database or cakephp/orm packages in 4.x. Please provide the file and line number where the error was generated and preferably the full stack trace.
Composer audit notified me of a CVE in the lib.
Which CVE? I'm not aware of any recent CVEs being reported.
Composer audit notified me of a CVE in the lib.
Which CVE? I'm not aware of any recent CVEs being reported.
Was not recent but from last year:
+-------------------+----------------------------------------------------------------------------------+
| Package | cakephp/database |
| Severity | critical |
| CVE | CVE-2023-22727 |
| Title | CakePHP Database\\Query::offset() and limit() methods are vulnerable to SQL |
| | injection |
| URL | https://github.com/advisories/GHSA-6g8q-qfpv-57wp |
| Affected versions | >=4.4.0,<4.4.10|>=4.3.0,<4.3.11|>=4.2.0,<4.2.12 |
| Reported at | 2023-01-20T17:30:20+00:00 |
+-------------------+----------------------------------------------------------------------------------+
There's no
WRITE_ALLconstant in either cakephp/database or cakephp/orm packages in 4.x. Please provide the file and line number where the error was generated and preferably the full stack trace.
I dont have the full trace anymore since i patched the orm package later. The initial error was
NOTICE: PHP message: PHP Fatal error: Uncaught Error: Undefined constant Cake\Database\Connection::ROLE_WRITE in /app/vendor/cakephp/database/Connection.php:189
Since your app has the orm package as a dependency the database package is an indirect dependency which you updated by itself instead of updating the orm.
I am unaware of any way we could specified the package deps to avoid this problem. You can only make composer auto update the dependencies of a package not update its ancestor packages.
So the issue is users are updating individual packages and composer.json in cakephp/orm allows all 4.x versions of those packages?
The only solution might be replacing the versions in composer.json from the release script when tagging.
Well there is not a dependency from database to orm. So technically they are standalone packages?
"require": {
"php": ">=7.2.0",
"cakephp/core": "^4.0",
"cakephp/datasource": "^4.0"
},
So it just is a breaking change if it is not defined. The library is able to be installed standalone. If not then why is it a seperate package at all?
The cakephp/database can be used standalone too but you are using cakephp/orm not just cakephp/database and the latter is a dependency of cakephp/orm. You tried updating the indirect dependency instead of updating your app's direct dependency which is cakeph/orm causing the problem.
That said we are looking into limiting the dependencies of standalone packages to the same minor version for Cake dependencies to reduce the chances of version mismatch issues.