cms
cms copied to clipboard
craftcms
[3.x]: All Craft 3 CMS versions still (again?) marked as unsave by composer with roave/security advisories
What happened?
Description
Still unable to install & update projects on Craft 3, or possibly again. According to the maintainer there might be unaddressed vulnerabilities. I can see no commits adding Craft 3 versions back in, so while a previous bug report (#13336) about this was closed, I don't think it was ever truly solved.
This is turning into a major blocker for us as we've many sites still on Craft 3.
Craft CMS version
3.7.43
PHP version
No response
Operating system and version
No response
Database type and version
No response
Image driver and version
No response
Installed plugins and versions
@ameliagroen can you send you composer.json and lock files over to [email protected] and reference this issue? will help us track down what is being flagged in your installation.
Still trying to figure this out (https://github.com/Roave/SecurityAdvisories/issues/119#issuecomment-1642497901), but the short-term workaround is to remove "roave/security-advisories": "dev-latest", from your compser.json file until this gets sorted.
Hey @angrybrad I was wondering whether there was any update on this? Our dev team is hesitant to turn off the security advisories as we're not sure what the implications could be. We've a lot of clients we can't service for updates at the moment.
We’re still looking into it, sorry. Considering there have been security fixes for Craft 3 in recent updates, keeping roave/security-advisories around is doing more harm than good at the moment.
I had to eventually drop roave/security-advisories from our composer.json, it became tiresome when this kept happening. There's not enough safeguards in place for rogue advisories to just blanket state whole versions without verification.
