altis-cms icon indicating copy to clipboard operation
altis-cms copied to clipboard
verified publisher icon humanmade

Update simple-local-avatars version to 2.8.5

Open roborourke opened this issue 4 months ago • 4 comments

Patchstack is reporting 2 low priority CVEs for <= 2.7.1 and <= 2.8.4

roborourke avatar Aug 29 '25 14:08 roborourke

The multiple change logs for this don't look too bad. But for such a large leap, we need to do some testing. I'll follow up on that.

mikelittle avatar Aug 29 '25 15:08 mikelittle

Yeah sorry, you should remove the back port labels and I’ll leave it to your discretion

roborourke avatar Aug 29 '25 16:08 roborourke

We usually put the composer/installers requirement as ^1 || ^2, but there must be a package somewhere requesting v1. I would aim to work out what that is and resolve it, and I would also chat to 10up about updating those constraints and publishing to packagist. They may be open to it.

Otherwise Altis will be shipping with a version that has a known CVE flagged by patchstack, so it’s also viable to just remove it from Altis I suppose. Projects can install it via wpackagist instead.

roborourke avatar Sep 03 '25 08:09 roborourke

Finally got round to raising https://github.com/10up/simple-local-avatars/issues/349

mikelittle avatar Oct 07 '25 15:10 mikelittle

This is now working with the wpackagist version of the plugin. Core avatar image removed and SLA section added on profile.php

CleanShot 2025-11-24 at 17 06 18

If we are OK to go with the wpackagist-plugin version, this is ready to go.

mikelittle avatar Nov 24 '25 18:11 mikelittle

If we are OK to go with the wpackagist-plugin version, this is ready to go.

~I want to ensure we're only using Packagist; the dep from 10up should be published to Packagist now, is there anything else blocking us?~

Ah, I see this was covered at https://github.com/humanmade/product-dev/issues/1834#issuecomment-3572081387

rmccue avatar Nov 24 '25 18:11 rmccue