Git Product home page Git Product logo

drupal-security-advisories's People

Contributors

grota avatar webflo avatar weitzman avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

badjava danepowell johnrosswvsu habeebmaraikar generalconsensus webflo hugovk gapple dwaghmare jtubex phpdrupalcrunch bradjones1 janmashat maxpah drupallabs tuutti

drupal-security-advisories's Issues

Optimize contraint for unsupported minor core versions

#17 Still includes constraints for each unsupported minor core version instead of a single constraint blocking all older core versions.

e.g.
8.0.4|>=8.0,<8.0.4|8.0.5|8.0.6|>=8.1,<8.1.10|8.1.10|>=8.2,<8.2.8|8.2.8|>=8.3,<8.3.9|8.3.9|>=8.4,<8.4.8|8.4.8|>=8.5,<8.5.15|8.5.15|>=8.6,<8.6.16|>=8.7,<8.7.5

Could be reduced to:
<8.6|>=8.6,<8.6.16|>=8.7,<8.7.5

Latest security releases are missing

I notice that the latest security release from yesterday hasn't popped up yet.

I did also notice that Drupal is one fix release behind and that the whole 10 branch is missing from tracking.

Are there any plans for maintaining the Drupa l10 version with this tool?

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Last August there was an SA for the Forms Steps module (https://www.drupal.org/sa-contrib-2019-064).

In our CI pipeline, we tried using version 1.1 of the Forms Steps project with drush pm:security in hope to list that a security update was required, but we would not get any results.

I did some investigation with xdebug and I found out that the drush pm:security command use the content of this file (https://github.com/drupal-composer/drupal-security-advisories/blob/8.x-v2/composer.json) from this project to compare it against your project installed modules.

From my understanding it should have been in there, but I'm not sure what is the process to get it in and if we can help in anyway?

Thanks!

Explicit License

Hi @webflo @weitzman @drumm
we recently forked this repo under our org, in an attempt to:

  • manage on our end the code contributions (we liked tuutti's recent contribution)
  • have a "backup strategy" to generate the resulting composer.json with the SA conflicts.

We have found no mention of the license in the code (only in the generated artifact).
We were wondering if you could make this project's license explicit as open source in order to avoid any legal issue by forking and using this project in our org.

Incorrect conflict line allows installations of insecure Drupal core versions

I noticed today that I am able to install known-insecure versions of Drupal. Here's the basic composer.json:

{
    "require": {
        "drupal-composer/drupal-security-advisories": "8.x-dev",
        "drupal/core": "8.8.3"
    }
}

And here's the steps that created that file and installed 8.8.3:

$ composer require drupal-composer/drupal-security-advisories:8.x-dev
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing drupal-composer/drupal-security-advisories (8.x-dev 413d689)
Writing lock file
Generating autoload files
$ composer require drupal/core:8.8.3
    1/2:	http://repo.packagist.org/p/provider-latest$d5afd90b02bfbb6d8156c98fadffd5a4b6dcad75f12e2ae09a0f3dd542122f0b.json
    2/2:	http://repo.packagist.org/p/provider-2020-01$f68a8a70594e85cc5d3310b12ad04413d62ea226078a785ee9727918e5c444f2.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
    1/1:	https://codeload.github.com/drupal/core/legacy.zip/77971de6d6ade7366cdd3fadfc16c5d02e531446
    Finished: success: 1, skipped: 0, failure: 0, total: 1
Package operations: 57 installs, 0 updates, 0 removals
  - Installing pear/pear_exception (v1.0.1): Loading from cache
  - Installing pear/console_getopt (v1.4.3): Loading from cache
  - Installing pear/pear-core-minimal (v1.10.10): Loading from cache
  - Installing pear/archive_tar (1.4.9): Loading from cache
  - Installing psr/log (1.1.3): Loading from cache
  - Installing symfony/polyfill-ctype (v1.17.0): Loading from cache
  - Installing symfony/polyfill-mbstring (v1.17.0): Loading from cache
  - Installing symfony/polyfill-php72 (v1.17.0): Loading from cache
  - Installing symfony/polyfill-intl-idn (v1.17.0): Loading from cache
  - Installing symfony/debug (v4.4.8): Loading from cache
  - Installing psr/container (1.0.0): Loading from cache
  - Installing symfony/polyfill-util (v1.17.0): Loading from cache
  - Installing symfony/polyfill-php56 (v1.17.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing symfony/polyfill-php70 (v1.17.0): Loading from cache
  - Installing symfony/http-foundation (v3.4.40): Loading from cache
  - Installing symfony/event-dispatcher (v3.4.40): Loading from cache
  - Installing symfony/http-kernel (v3.4.40): Loading from cache
  - Installing asm89/stack-cors (1.3.0): Loading from cache
  - Installing composer/semver (1.5.1): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing zendframework/zend-diactoros (1.8.7): Loading from cache
  - Installing symfony/psr-http-message-bridge (v1.2.0): Loading from cache
  - Installing masterminds/html5 (2.7.0): Loading from cache
  - Installing doctrine/lexer (1.2.0): Loading from cache
  - Installing egulias/email-validator (2.1.17): Loading from cache
  - Installing stack/builder (v1.0.6): Loading from cache
  - Installing zendframework/zend-stdlib (3.2.1): Loading from cache
  - Installing zendframework/zend-escaper (2.6.1): Loading from cache
  - Installing zendframework/zend-feed (2.12.0): Loading from cache
  - Installing easyrdf/easyrdf (0.9.1): Loading from cache
  - Installing symfony/routing (v3.4.40): Loading from cache
  - Installing symfony-cmf/routing (1.4.1): Loading from cache
  - Installing ralouphie/getallheaders (3.0.3): Loading from cache
  - Installing guzzlehttp/psr7 (1.6.1): Loading from cache
  - Installing guzzlehttp/promises (v1.3.1): Loading from cache
  - Installing guzzlehttp/guzzle (6.5.3): Loading from cache
  - Installing doctrine/annotations (1.10.2): Loading from cache
  - Installing doctrine/reflection (1.2.1): Loading from cache
  - Installing doctrine/event-manager (1.1.0): Loading from cache
  - Installing doctrine/collections (1.6.4): Loading from cache
  - Installing doctrine/cache (1.10.0): Loading from cache
  - Installing doctrine/persistence (1.3.7): Loading from cache
  - Installing doctrine/inflector (1.4.1): Loading from cache
  - Installing doctrine/common (2.13.0): Loading from cache
  - Installing twig/twig (v1.42.5): Loading from cache
  - Installing typo3/phar-stream-wrapper (v3.1.4): Loading from cache
  - Installing symfony/yaml (v3.4.40): Loading from cache
  - Installing symfony/polyfill-iconv (v1.17.0): Loading from cache
  - Installing symfony/process (v3.4.40): Loading from cache
  - Installing symfony/translation (v3.4.40): Loading from cache
  - Installing symfony/validator (v3.4.40): Loading from cache
  - Installing symfony/serializer (v3.4.40): Loading from cache
  - Installing symfony/dependency-injection (v3.4.40): Loading from cache
  - Installing symfony/console (v3.4.40): Loading from cache
  - Installing symfony/class-loader (v3.4.40): Loading from cache
  - Installing drupal/core (8.8.3): Loading from cache
pear/archive_tar suggests installing ext-xz (Lzma2 compression support.)
paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.)
symfony/http-kernel suggests installing symfony/browser-kit
symfony/http-kernel suggests installing symfony/config
symfony/http-kernel suggests installing symfony/finder
symfony/http-kernel suggests installing symfony/var-dumper
symfony/psr-http-message-bridge suggests installing nyholm/psr7 (For a super lightweight PSR-7/17 implementation)
zendframework/zend-feed suggests installing zendframework/zend-cache (Zend\Cache component, for optionally caching feeds between requests)
zendframework/zend-feed suggests installing zendframework/zend-db (Zend\Db component, for use with PubSubHubbub)
zendframework/zend-feed suggests installing zendframework/zend-http (Zend\Http for PubSubHubbub, and optionally for use with Zend\Feed\Reader)
zendframework/zend-feed suggests installing zendframework/zend-servicemanager (Zend\ServiceManager component, for easily extending ExtensionManager implementations)
zendframework/zend-feed suggests installing zendframework/zend-validator (Zend\Validator component, for validating email addresses used in Atom feeds and entries when using the Writer subcomponent)
easyrdf/easyrdf suggests installing ml/json-ld (~1.0)
symfony/routing suggests installing symfony/config (For using the all-in-one router or any loader)
symfony/routing suggests installing symfony/expression-language (For using expression matching)
guzzlehttp/psr7 suggests installing zendframework/zend-httphandlerrunner (Emit PSR-7 responses)
doctrine/cache suggests installing alcaeus/mongo-php-adapter (Required to use legacy MongoDB driver)
symfony/translation suggests installing symfony/config
symfony/validator suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/validator suggests installing symfony/intl
symfony/validator suggests installing symfony/config
symfony/validator suggests installing symfony/property-access (For accessing properties within comparison constraints)
symfony/validator suggests installing symfony/expression-language (For using the Expression validator)
symfony/serializer suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/serializer suggests installing symfony/property-info (To deserialize relations.)
symfony/serializer suggests installing symfony/config (For using the XML mapping loader.)
symfony/serializer suggests installing symfony/property-access (For using the ObjectNormalizer.)
symfony/dependency-injection suggests installing symfony/config
symfony/dependency-injection suggests installing symfony/finder (For using double-star glob patterns or when GLOB_BRACE portability is required)
symfony/dependency-injection suggests installing symfony/expression-language (For using expressions in service container configuration)
symfony/dependency-injection suggests installing symfony/proxy-manager-bridge (Generate service proxies to lazy load them)
symfony/console suggests installing symfony/lock
symfony/class-loader suggests installing symfony/polyfill-apcu (For using ApcClassLoader on HHVM)
Package zendframework/zend-diactoros is abandoned, you should avoid using it. Use laminas/laminas-diactoros instead.
Package zendframework/zend-stdlib is abandoned, you should avoid using it. Use laminas/laminas-stdlib instead.
Package zendframework/zend-escaper is abandoned, you should avoid using it. Use laminas/laminas-escaper instead.
Package zendframework/zend-feed is abandoned, you should avoid using it. Use laminas/laminas-feed instead.
Writing lock file
Generating autoload files
24 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

The conflict line in composer.lock currently is:

                "drupal/core": "<8.0.0-beta2,<8.0.4,<8.1.3,<8.1.7,<8.1.10,<8.2.3,<8.2.7,<8.2.8,<8.3.1,<8.3.4,<8.3.7,<8.3.9,<8.4.6,<8.4.7,<8.4.8,<8.5.1,<8.5.2,<8.5.3,<8.5.6,<8.5.8,<8.5.9,<8.5.11,<8.5.14,<8.5.15,<8.6.2,<8.6.6,<8.6.10,<8.6.13,<8.6.15,<8.6.16,<8.7.0-rc1,<8.7.1,<8.7.5,<8.7.11,<8.7.12,<8.7.14,<8.8.1,<8.8.4,<8.8.6",

It looks like the problem occurs as soon as there is a constraint that is less than the selected version.

  "conflict": {
    "drupal/core": "<8.8.3,<8.8.4,<8.8.6"
  },

Allows 8.8.3, while:

  "conflict": {
    "drupal/core": "<8.8.4,<8.8.6"
  },

does not.

Luckily drush pm:security does pick up the SA, so I imagine most Drupal users are not unknowingly running insecure versions.

I think the problem is the use of a straight and in conflict, as noted in the composer docs. I get the correct behaviour with:

"drupal/core": "<8.7.14 || >8.8.0 <8.8.6"

which allows 8.7.14 and 8.8.6, but nothing else.

Core updates in composer.json need to be updated more quickly after a release

https://raw.githubusercontent.com/drupal-composer/drupal-security-advisories/8.x-v2/composer.json

Security update for 8.7.1 has been released and the list here has not updated to reflect this:

drupal/core: "8.0-alpha2|8.0-alpha3|8.0-alpha4|8.0-alpha5|8.0-alpha6|8.0-alpha7|8.0-alpha8|8.0-alpha9|8.0-alpha10|8.0-alpha11|8.0-alpha12|8.0-alpha13|8.0.0|8.0.0-alpha14|8.0.0-alpha15|8.0.0-beta1|8.0.0-beta2|8.0.0-beta3|8.0.0-beta4|8.0.0-beta6|8.0.0-beta7|8.0.0-beta9|8.0.0-beta10|8.0.0-beta11|8.0.0-beta12|8.0.0-beta13|8.0.0-beta14|8.0.0-beta15|8.0.0-beta16|8.0.0-rc1|8.0.0-rc2|8.0.0-rc3|8.0.0-rc4|8.0.1|8.0.2|8.0.3|8.0.4|8.0.5|8.0.6|8.1.0|8.1.0-beta1|8.1.0-beta2|8.1.0-rc1|8.1.1|8.1.2|8.1.3|8.1.4|8.1.5|8.1.6|8.1.7|8.1.8|8.1.9|8.1.10|8.2.0|8.2.0-beta1|8.2.0-beta2|8.2.0-beta3|8.2.0-rc1|8.2.0-rc2|8.2.1|8.2.2|8.2.3|8.2.4|8.2.5|8.2.6|8.2.7|8.2.8|8.3.0|8.3.0-alpha1|8.3.0-beta1|8.3.0-rc1|8.3.0-rc2|8.3.1|8.3.2|8.3.3|8.3.4|8.3.5|8.3.6|8.3.7|8.3.8|8.3.9|8.4.0|8.4.0-alpha1|8.4.0-beta1|8.4.0-rc1|8.4.0-rc2|8.4.1|8.4.2|8.4.3|8.4.4|8.4.5|8.4.6|8.4.7|8.4.8|8.5.0|8.5.0-alpha1|8.5.0-beta1|8.5.0-rc1|8.5.1|8.5.2|8.5.3|8.5.4|8.5.5|8.5.6|8.5.7|8.5.8|8.5.9|8.5.10|8.5.11|8.5.12|8.5.13|8.5.14|8.6.0|8.6.0-alpha1|8.6.0-beta1|8.6.0-beta2|8.6.0-rc1|8.6.1|8.6.2|8.6.3|8.6.4|8.6.5|8.6.6|8.6.7|8.6.8|8.6.9|8.6.10|8.6.11|8.6.12|8.6.13|8.6.14|8.7.0-alpha1|8.7.0-alpha2|8.7.0-beta1|8.7.0-beta2|>=8.0,<8.0.0-beta2|>=8.0,<8.0.4|>=8.1,<8.1.3|>=8.1,<8.1.7|>=8.1,<8.1.10|>=8.2,<8.2.3|>=8.2,<8.2.7|>=8.2,<8.2.8|>=8.3,<8.3.1|>=8.3,<8.3.4|>=8.3,<8.3.7|>=8.3,<8.3.9|>=8.4,<8.4.6|>=8.4,<8.4.7|>=8.4,<8.4.8|>=8.5,<8.5.1|>=8.5,<8.5.2|>=8.5,<8.5.3|>=8.5,<8.5.6|>=8.5,<8.5.8|>=8.5,<8.5.9|>=8.5,<8.5.11|>=8.5,<8.5.14|>=8.5,<8.5.15|>=8.6,<8.6.2|>=8.6,<8.6.6|>=8.6,<8.6.10|>=8.6,<8.6.13|>=8.6,<8.6.15|>=8.7,<8.7.0-rc1",

Is it a safe alternative to is Drupal Core’s update module?

Hi,

I stumble into your package when analysing drush code (https://github.com/drush-ops/drush/blob/10.x/src/Commands/pm/SecurityUpdateCommands.php#L101) but I didn't find any reference in drupal.org.

Since it's about security, IMHO this repo and the drush mechanism should be documented in drupal.org and in the update status page (https://www.drupal.org/drupalorg/docs/apis/update-status-xml).

Also, even if the contributors are well know members of the community, this repo should be moved into the official one (https://github.com/drupal) to reassure everyone, no ?

One last remark, since the default branch is not updated at each security update, the project seems outdated.

composer outdated reports this project as outdated

Because there is a composer.json in the master branch, composer thinks that you can update to a newer version if you are on 8.x, for example.

This would be solved, I think, if the composer.json were removed from the master branch. It doesn't serve any practical purpose anyway, as far as I can tell...

Include major versions of contrib modules which are marked unsupported

Let's say a contrib module moves from having active support of both a 1.x and 2.x branch, but 1.x reaches EOL. Can we include a constraint for ^1? That would allow tools like drush sec to flag these versions as unsupported, even if there is not a corresponding security issue/release prompting its inclusion.

Similar in spirit to #7 but only for branches.

8.x-v2 branch is out of date

The 8.x-v2 branch which is currently used by drush pm:security is out of date, with the last commit on May 8.

Drupal GraphQL version 3.x is incorrectly marked as vulnerable

GraphQL version 3 is incorrectly marked as a conflict in this project, this causes issues with composer when trying to update existing dependencies or install new dependencies. The conflict is marked here:

drupal-security-advisories/composer.json

Line 49 in 432c09b

"drupal/graphql": "<4.1",

In the security advisory it's mentioned that the 3.x branch is not affected by the issue:

The 8.x-3.x branch is not affected by this issue.

https://www.drupal.org/sa-contrib-2021-013

Build a static list?

Out of curiosity, why not use the same logic and APIs to build a static composer.json file like roave/security-advisories and set a cron job to update it. That way it can avoid the API calls.

Create a drupal.org compatible version.

Hi,

As spotted by you, currently the generated composer file uses the version scheme from https://packagist.drupal-composer.org/ and not from drupal.org.

It causes issues when using drupal-composer/drupal-security-advisories with

"repositories": [
{
  "type": "composer",
  "url": "https://packages.drupal.org/8"
}
],

For example, the constraint on editor_file is set to <8.1.2 instead of 1.2.

Thx,

Composer error

Hello, I think is commit 982a740 has just caused an issue

Im getting this error:
drupal-composer/drupal-security-advisories 9.x-dev conflicts with drupal/core 10.0.11.

I wasnt geting this error before that commit was made as I did an install earlier today and was fine

Drupal core and themes?

As far as I can tell from the composer.json file, drupal-security-advisories only verifies contributes modules and not Drupal core nor themes.

Ideally it would also verify Drupal core and contributed themes but if this is not possible then it would be useful to document the scope of the tool.

dev-9.-x alias does not exist

Hi,

Seeing Drush releases notes, I have tried to update my requirement in my project composer.json

        "drupal-composer/drupal-security-advisories": "dev-9.x",

But it ended with:

 Problem 1
    - Root composer.json requires drupal-composer/drupal-security-advisories dev-9.x, found drupal-composer/drupal-security-advisories[dev-7.x-v2, dev-8.x-v2, 7.x-dev, 8.x-dev, 9.x-dev] but it does not match the constraint.

It seems that there is no dev-9.x alias for this branch.

README needs to be updated.

D8 Support

I appears that the 8.x branch of this project simply includes a static composer.json file. Are there plans to build out the 8.x branch to provide dynamic checks for security advisories?

Allows install of insecure jsonapi module

Drupal 8.6.2
Drush 9.5.2

Looking at https://github.com/drupal-composer/drupal-security-advisories/blob/8.x/composer.json, here's three modules with insecure versions:

    "conflict": {
        "drupal/acquia_contenthub": "<1.0,<1.4",
...
        "drupal/ds": "<2.7,<3.0",
...
        "drupal/jsonapi": "<1.9,<1.10,<1.14,<1.16,<1.24,<2.0-rc4",

This package prevents installing insecure versions of the first two, but not for drupal/jsonapi.

Demo

Install

$ composer require drupal-composer/drupal-security-advisories:8.x-dev
   1/1:	https://packages.drupal.org/8/drupal/provider-2018-4$a61ccb51d6803b735c3d76aa432c311ddd71f8204fc00e31195c4b3850d40dcd.json
    Finished: success: 1, skipped: 0, failure: 0, total: 1
    1/6:	http://repo.packagist.org/p/provider-latest$8b008b9e1c52779ab8fd94ac6d1ddfedd0d7bbbdb9860b529b05e6262a27048b.json
    2/6:	http://repo.packagist.org/p/provider-2018$f41ad57c1f6d56528ce5748c9ff4be7be718496868ec77f2288af0e4b651e17d.json
    3/6:	http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
    4/6:	http://repo.packagist.org/p/provider-2018-07$0e729e9dbdd73b16ab3cd794a225dd4d9071d950483181fdeaa4a55a4f148047.json
    5/6:	http://repo.packagist.org/p/provider-2018-10$bec2a0a105145564e32fc6ef746ebd540433d6a660f549297d3ea999e3876be3.json
    6/6:	http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
    Finished: success: 6, skipped: 0, failure: 0, total: 6
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 0 updates, 1 removal
  - Removing drupal/jsonapi (1.23.0)
Deleting docroot/modules/contrib/jsonapi - deleted
Generating autoload files

Correctly prevents insecure install

$ composer require 'drupal/acquia_contenthub:1.3'
   1/2:	https://packages.drupal.org/8/drupal/provider-2018-4$00245c276cfe524b6b0aa708fb68200ede3b74ea02c63eb4007f90c54b513736.json
    2/2:	https://packages.drupal.org/8/drupal/provider-2019-1$f15d2f9a3bd815dfad083d90557803aa1a46ab9e72deadf1e9fe713a7f61c37c.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
    1/7:	http://repo.packagist.org/p/provider-latest$e802437252ac204e63320fb692aa0049f191adfe826b975c1663d2daf5e2ef3c.json
    2/7:	http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
    3/7:	http://repo.packagist.org/p/provider-2018$52b471ed75985c54e4108088a3cf35236da2765d60bf2d6b224bdf425f1abc71.json
    4/7:	http://repo.packagist.org/p/provider-2018-07$e26e5dad35649ca5fabeab9f9454e60164017d81b0911522b7335bc0a23249a1.json
    5/7:	http://repo.packagist.org/p/provider-2018-10$b0feb1d58346c505da5ae7cda4d50b6a819399866503b8cfa921787b3c6addd2.json
    6/7:	http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
    7/7:	http://repo.packagist.org/p/provider-2016$3ebaeca74c4c7ef4af1a514ff3eb3354e8ecec97331eec58b40a9e7adac03202.json
    Finished: success: 7, skipped: 0, failure: 0, total: 7
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
    - drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
    - Installation request for drupal/acquia_contenthub 1.3 -> satisfiable by drupal/acquia_contenthub[1.3.0].

Potential causes:
 - A typo in the package name
 - The package is not available in a stable-enough version according to your minimum-stability setting
   see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
 - It's a private package and you forgot to add a custom repository to find it

Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.

Installation failed, reverting ./composer.json to its original content.

Correctly prevents insecure install

$ composer require 'drupal/ds:2.6'
    1/1:	https://packages.drupal.org/8/drupal/provider-2019-1$3f231306589fb84ccba9b3b5a171827af1a84bc46487147582bd49afeb7b6e0b.json
    Finished: success: 1, skipped: 0, failure: 0, total: 1
    1/5:	http://repo.packagist.org/p/provider-latest$4540a197e56286f08d8f79c96097640279d1f706d3096730a45787cb7b2a6d21.json
    2/5:	http://repo.packagist.org/p/provider-2018-04$b4158682ed5588732bab4286ac3bb91a40dd7131367c4c2d0d6a882ce97a1162.json
    3/5:	http://repo.packagist.org/p/provider-2018$eb2ececaf43cfba88cd840307ef1b0aa8e3851840fe22ec79ebbd730b0f9fc2e.json
    4/5:	http://repo.packagist.org/p/provider-2018-07$2c2d1aa78b29509d891d23fce313833bb64919b296e15435b7e4091d1a42c26d.json
    5/5:	http://repo.packagist.org/p/provider-2018-10$c0eb49eb0ede88abe51609a1a94d0f3234ce2756f2cce475c001f9d41f96cb8c.json
    Finished: success: 5, skipped: 0, failure: 0, total: 5
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Conclusion: remove drupal-composer/drupal-security-advisories 8.x-dev
    - Conclusion: don't install drupal-composer/drupal-security-advisories 8.x-dev
    - drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
    - drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
    - Installation request for drupal-composer/drupal-security-advisories 8.x-dev -> satisfiable by drupal-composer/drupal-security-advisories[8.x-dev].
    - Installation request for drupal/ds 2.6 -> satisfiable by drupal/ds[2.6.0].


Installation failed, reverting ./composer.json to its original content.

Incorrectly allows insecure install

$ composer require 'drupal/jsonapi:1.23'
    1/2:	http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
    2/2:	http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
    1/2:	http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
    2/2:	http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
    Finished: success: 2, skipped: 0, failure: 0, total: 2
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
  - Installing drupal/jsonapi (1.23.0): Loading from cache
Writing lock file
Generating autoload files

Incorrectly allows insecure install

$ composer require 'drupal/jsonapi:1.20'
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
  - Downgrading drupal/jsonapi (1.23.0 => 1.20.0): Loading from cache
Writing lock file
Generating autoload files

Am I missing something, or is this a bug?

Thank you!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.