将 symfony 4 更新到 5 时 roave/security-advisories 出现问题
Problem with roave/security-advisories when update symfony 4 to 5
我正在尝试将我的 Symfony 4.4.19 更新到 Symfony 5.x,但我遇到了两个阻碍该过程的冲突:
symfony/monolog-bundle 和 roave/security-advisories
我是运行方法composer update "symfony/*" --with-all-dependencies
在关于 upgrading 的 Symfony 文档中,明确指出“一些以 symfony/ 开头的库遵循它们自己的版本控制方案。你不需要更新这些版本:你可以在任何时候独立升级它们想要”,例子是...symfony/monolog-bundle
Updating dependencies
Problem 1
- Root composer.json requires symfony/monolog-bundle ^3.6 -> satisfiable by symfony/monolog-bundle[v3.6.0].
- symfony/monolog-bundle v3.6.0 requires symfony/http-kernel ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/http-kernel[v5.0.0, ..., v5.0.11].
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.11.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.10.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.9.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.8.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.7.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.6.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.5.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.4.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.3.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.2.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.1.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.0.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
这是我的 composer.json,我已将所有 4.4 替换为 5.0:
{
"type": "project",
"version": "1.2.0",
"license": "proprietary",
"require": {
"php": "^7.4.0",
"ext-ctype": "*",
"ext-iconv": "*",
"ext-intl": "*",
"ext-json": "*",
"abraham/twitteroauth": "^1.1",
"excelwebzone/recaptcha-bundle": "^1.5",
"facebook/graph-sdk": "^5.7",
"friendsofsymfony/rest-bundle": "^3.0",
"gesdinet/jwt-refresh-token-bundle": "^0.9.1",
"hamhamfonfon/astrobin-ws": "^2.0",
"jms/serializer-bundle": "^3.3",
"lexik/jwt-authentication-bundle": "^2.6",
"ruflin/elastica": "^6.0",
"sensio/framework-extra-bundle": "^5.2",
"symfony/asset": "^5.0",
"symfony/console": "^5.0",
"symfony/dotenv": "^5.0",
"symfony/expression-language": "^5.0",
"symfony/flex": "^1.11",
"symfony/form": "^5.0",
"symfony/framework-bundle": "^5.0",
"symfony/google-mailer": "5.0",
"symfony/http-client": "5.0",
"symfony/intl": "^5.0",
"symfony/mailer": "5.0.*",
"symfony/monolog-bundle": "^3.6",
"symfony/orm-pack": "^1.2",
"symfony/process": "5.0.*",
"symfony/requirements-checker": "^1.1",
"symfony/security-bundle": "^5.0",
"symfony/serializer": "^5.0",
"symfony/stopwatch": "^5.0",
"symfony/templating": "^5.0",
"symfony/translation": "^5.0",
"symfony/twig-bundle": "^5.0",
"symfony/validator": "^5.0",
"symfony/webpack-encore-bundle": "^1.0",
"symfony/yaml": "^5.0",
"twig/extensions": "^1.5"
},
//...
"extra": {
"symfony": {
"allow-contrib": false,
"require": "5.0.*"
}
},
"require-dev": {
"roave/security-advisories": "dev-latest",
"symfony/maker-bundle": "^1.12",
"symfony/profiler-pack": "^1.0",
"symfony/var-dumper": "^5.0"
}
}
我在将 4.4 替换为 5.0 之前进行了“作曲家更新”,以确保在 4.4.x 版本上是最新版本。
问题不在于monolog-bundle,而是如下:
- monolog-bundle 需要 symfony/http-kernel ~3.4 || ~4.0 || ^5.0
- 您将所有 Symfony 组件限制为 5.0(通过将“extra”->“symfony”->“require”设置为 5.0.*)。所以 monolog-bundle 唯一可满足的要求是 http-kernel 5.0.*
- roave/security-advisories 通过故意与具有已知安全问题的 lib 版本冲突来工作。在这种情况下,每个 5.0.* 版本都存在漏洞 CVE-2020-15094(参见 https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient),因此被阻止。因此没有有效的版本,Composer 中止。
我的建议:Symfony 5.0 已停产,因此请使用当前版本的 Symfony 5。2.x(Composer 约束“^5.2”)。由于 Symfony 使用严格的语义版本控制,因此使用 5.2 而不是 5.0 没有任何缺点(即所有代码在 5.0 上 运行 也会在 5.2 上 运行)。
我正在尝试将我的 Symfony 4.4.19 更新到 Symfony 5.x,但我遇到了两个阻碍该过程的冲突: symfony/monolog-bundle 和 roave/security-advisories
我是运行方法composer update "symfony/*" --with-all-dependencies
在关于 upgrading 的 Symfony 文档中,明确指出“一些以 symfony/ 开头的库遵循它们自己的版本控制方案。你不需要更新这些版本:你可以在任何时候独立升级它们想要”,例子是...symfony/monolog-bundle
Updating dependencies
Problem 1
- Root composer.json requires symfony/monolog-bundle ^3.6 -> satisfiable by symfony/monolog-bundle[v3.6.0].
- symfony/monolog-bundle v3.6.0 requires symfony/http-kernel ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/http-kernel[v5.0.0, ..., v5.0.11].
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.11.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.10.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.9.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.8.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.7.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.6.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.5.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.4.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.3.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.2.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.1.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.0.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
这是我的 composer.json,我已将所有 4.4 替换为 5.0:
{
"type": "project",
"version": "1.2.0",
"license": "proprietary",
"require": {
"php": "^7.4.0",
"ext-ctype": "*",
"ext-iconv": "*",
"ext-intl": "*",
"ext-json": "*",
"abraham/twitteroauth": "^1.1",
"excelwebzone/recaptcha-bundle": "^1.5",
"facebook/graph-sdk": "^5.7",
"friendsofsymfony/rest-bundle": "^3.0",
"gesdinet/jwt-refresh-token-bundle": "^0.9.1",
"hamhamfonfon/astrobin-ws": "^2.0",
"jms/serializer-bundle": "^3.3",
"lexik/jwt-authentication-bundle": "^2.6",
"ruflin/elastica": "^6.0",
"sensio/framework-extra-bundle": "^5.2",
"symfony/asset": "^5.0",
"symfony/console": "^5.0",
"symfony/dotenv": "^5.0",
"symfony/expression-language": "^5.0",
"symfony/flex": "^1.11",
"symfony/form": "^5.0",
"symfony/framework-bundle": "^5.0",
"symfony/google-mailer": "5.0",
"symfony/http-client": "5.0",
"symfony/intl": "^5.0",
"symfony/mailer": "5.0.*",
"symfony/monolog-bundle": "^3.6",
"symfony/orm-pack": "^1.2",
"symfony/process": "5.0.*",
"symfony/requirements-checker": "^1.1",
"symfony/security-bundle": "^5.0",
"symfony/serializer": "^5.0",
"symfony/stopwatch": "^5.0",
"symfony/templating": "^5.0",
"symfony/translation": "^5.0",
"symfony/twig-bundle": "^5.0",
"symfony/validator": "^5.0",
"symfony/webpack-encore-bundle": "^1.0",
"symfony/yaml": "^5.0",
"twig/extensions": "^1.5"
},
//...
"extra": {
"symfony": {
"allow-contrib": false,
"require": "5.0.*"
}
},
"require-dev": {
"roave/security-advisories": "dev-latest",
"symfony/maker-bundle": "^1.12",
"symfony/profiler-pack": "^1.0",
"symfony/var-dumper": "^5.0"
}
}
我在将 4.4 替换为 5.0 之前进行了“作曲家更新”,以确保在 4.4.x 版本上是最新版本。
问题不在于monolog-bundle,而是如下:
- monolog-bundle 需要 symfony/http-kernel ~3.4 || ~4.0 || ^5.0
- 您将所有 Symfony 组件限制为 5.0(通过将“extra”->“symfony”->“require”设置为 5.0.*)。所以 monolog-bundle 唯一可满足的要求是 http-kernel 5.0.*
- roave/security-advisories 通过故意与具有已知安全问题的 lib 版本冲突来工作。在这种情况下,每个 5.0.* 版本都存在漏洞 CVE-2020-15094(参见 https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient),因此被阻止。因此没有有效的版本,Composer 中止。
我的建议:Symfony 5.0 已停产,因此请使用当前版本的 Symfony 5。2.x(Composer 约束“^5.2”)。由于 Symfony 使用严格的语义版本控制,因此使用 5.2 而不是 5.0 没有任何缺点(即所有代码在 5.0 上 运行 也会在 5.2 上 运行)。