将 symfony 4 更新到 5 时 roave/security-advisories 出现问题

Problem with roave/security-advisories when update symfony 4 to 5

我正在尝试将我的 Symfony 4.4.19 更新到 Symfony 5.x,但我遇到了两个阻碍该过程的冲突: symfony/monolog-bundle 和 roave/security-advisories

我是运行方法composer update "symfony/*" --with-all-dependencies 在关于 upgrading 的 Symfony 文档中,明确指出“一些以 symfony/ 开头的库遵循它们自己的版本控制方案。你不需要更新这些版本:你可以在任何时候独立升级它们想要”,例子是...symfony/monolog-bundle

Updating dependencies
  Problem 1
    - Root composer.json requires symfony/monolog-bundle ^3.6 -> satisfiable by symfony/monolog-bundle[v3.6.0].
    - symfony/monolog-bundle v3.6.0 requires symfony/http-kernel ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/http-kernel[v5.0.0, ..., v5.0.11].
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.11.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.10.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.9.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.8.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.7.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.6.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.5.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.4.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.3.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.2.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.1.
    - roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.0.
    - roave/security-advisories is locked to version dev-latest and an update of this package was not requested.

这是我的 composer.json,我已将所有 4.4 替换为 5.0:

{
    "type": "project",
    "version": "1.2.0",
    "license": "proprietary",
    "require": {
        "php": "^7.4.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "ext-intl": "*",
        "ext-json": "*",
        "abraham/twitteroauth": "^1.1",
        "excelwebzone/recaptcha-bundle": "^1.5",
        "facebook/graph-sdk": "^5.7",
        "friendsofsymfony/rest-bundle": "^3.0",
        "gesdinet/jwt-refresh-token-bundle": "^0.9.1",
        "hamhamfonfon/astrobin-ws": "^2.0",
        "jms/serializer-bundle": "^3.3",
        "lexik/jwt-authentication-bundle": "^2.6",
        "ruflin/elastica": "^6.0",
        "sensio/framework-extra-bundle": "^5.2",
        "symfony/asset": "^5.0",
        "symfony/console": "^5.0",
        "symfony/dotenv": "^5.0",
        "symfony/expression-language": "^5.0",
        "symfony/flex": "^1.11",
        "symfony/form": "^5.0",
        "symfony/framework-bundle": "^5.0",
        "symfony/google-mailer": "5.0",
        "symfony/http-client": "5.0",
        "symfony/intl": "^5.0",
        "symfony/mailer": "5.0.*",
        "symfony/monolog-bundle": "^3.6",
        "symfony/orm-pack": "^1.2",
        "symfony/process": "5.0.*",
        "symfony/requirements-checker": "^1.1",
        "symfony/security-bundle": "^5.0",
        "symfony/serializer": "^5.0",
        "symfony/stopwatch": "^5.0",
        "symfony/templating": "^5.0",
        "symfony/translation": "^5.0",
        "symfony/twig-bundle": "^5.0",
        "symfony/validator": "^5.0",
        "symfony/webpack-encore-bundle": "^1.0",
        "symfony/yaml": "^5.0",
        "twig/extensions": "^1.5"
    },
    //...
    "extra": {
        "symfony": {
            "allow-contrib": false,
            "require": "5.0.*"
        }
    },
    "require-dev": {
        "roave/security-advisories": "dev-latest",
        "symfony/maker-bundle": "^1.12",
        "symfony/profiler-pack": "^1.0",
        "symfony/var-dumper": "^5.0"
    }
}

我在将 4.4 替换为 5.0 之前进行了“作曲家更新”,以确保在 4.4.x 版本上是最新版本。

问题不在于monolog-bundle,而是如下:

  • monolog-bundle 需要 symfony/http-kernel ~3.4 || ~4.0 || ^5.0
  • 您将所有 Symfony 组件限制为 5.0(通过将“extra”->“symfony”->“require”设置为 5.0.*)。所以 monolog-bundle 唯一可满足的要求是 http-kernel 5.0.*
  • roave/security-advisories 通过故意与具有已知安全问题的 lib 版本冲突来工作。在这种情况下,每个 5.0.* 版本都存在漏洞 CVE-2020-15094(参见 https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient),因此被阻止。因此没有有效的版本,Composer 中止。

我的建议:Symfony 5.0 已停产,因此请使用当前版本的 Symfony 5。2.x(Composer 约束“^5.2”)。由于 Symfony 使用严格的语义版本控制,因此使用 5.2 而不是 5.0 没有任何缺点(即所有代码在 5.0 上 运行 也会在 5.2 上 运行)。