drupal-security-advisories icon indicating copy to clipboard operation
drupal-security-advisories copied to clipboard

Published 20 hours ago verified publisher icon drupal-composer

9.x and 8.x-v2 branch missing from Packagist

Open matthandus opened this issue 10 months ago • 8 comments

We just noticed that Packagist is no longer listing the 9.x and 8.x-v2 branches. There was a recent commit that changed the composer.json file in those branches. Is there something causing those branches to no longer validate with Packagist?

Here's the last commit: https://github.com/drupal-composer/drupal-security-advisories/commit/bf307e03144de838195ad716c2782ef241cf24dc

Here's the packagist page: https://packagist.org/packages/drupal-composer/drupal-security-advisories

Is there an issue with this constraint? "drupal/rest_views": "3.0.0|3.0.0-alpha1|3.0.0-rc1|>=3.0,<3.0.1",

Or, are we just waiting for Packagist to catch up to the changes?

Thank you for the support!

Screenshot of missing packages on Packagist: Screenshot 2024-04-24 at 3 21 22 PM

matthandus avatar Apr 24 '24 19:04 matthandus

@webflo Are you able to confirm this issue? Thank you!

matthandus avatar Apr 24 '24 19:04 matthandus

I don't know how the internals of this project works, but I want to mention that for the drupal/rest_views that the 1.x and 2.x branches are also vulnerable and do not have a fix. I'm not sure if the notation added here fully captures that.

greggles avatar Apr 24 '24 20:04 greggles

The package is currently not updateable on packagist.org as it reports validation issues with the composer.json of this package on the 8.x and 9.x branches:

Importing branch 8.x-v2 (dev-8.x-v2)
Skipped branch 8.x-v2, Invalid package information: 
conflict.drupal/die_in_twig : this version constraint cannot possibly match anything (>=2,<2.0)
conflict.drupal/forum_access : this version constraint cannot possibly match anything (>=1,<1.0)
conflict.drupal/readonlymode : this version constraint cannot possibly match anything (>=1,<1.0)

Reading composer.json of https://github.com/drupal-composer/drupal-security-advisories (9.x)
Importing branch 9.x (9.x-dev)
Skipped branch 9.x, Invalid package information: 
conflict.drupal/die_in_twig : this version constraint cannot possibly match anything (>=2,<2.0)
conflict.drupal/forum_access : this version constraint cannot possibly match anything (>=1,<1.0)
conflict.drupal/readonlymode : this version constraint cannot possibly match anything (>=1,<1.0)

naderman avatar Apr 25 '24 18:04 naderman

Hi everyone,

I haven't maintained the package that well lately because drush has been reading the composer.json directly from the repo. Without going through Packagist.

Also the command ‘pm:security’ in drush was replaced by ‘composer audit’.

https://github.com/drush-ops/drush/commit/cb2610d5aa007b80bae4126b4cfb5454cd14dfe3 https://www.drupal.org/project/project_composer/issues/3301876

The compatibility with composer audit has been provided by the DA. Not sure if this project is needed anymore ...

webflo avatar Apr 26 '24 07:04 webflo

@webflo maybe it would make sense to add an announcement about that fact to the README.md? or make the repo say it when installed sites try to use it?

greggles avatar Apr 26 '24 11:04 greggles

Is there a solution to this?

matthew-IS avatar Apr 30 '24 19:04 matthew-IS

If I understand @webflo's comment the answer is:

  • composer remove drupal-composer/drupal-security-advisories to remove this project from your composer file
  • add appropriate calls to composer audit into your build and QA workflows.

greggles avatar Apr 30 '24 19:04 greggles

I have marked it as abandoned on Packagist and updated the README. I'll leave the issue open in case there are any further questions.

webflo avatar May 08 '24 21:05 webflo