drupal-composer / drupal-security-advisories Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
#17 Still includes constraints for each unsupported minor core version instead of a single constraint blocking all older core versions.
e.g.
8.0.4|>=8.0,<8.0.4|8.0.5|8.0.6|>=8.1,<8.1.10|8.1.10|>=8.2,<8.2.8|8.2.8|>=8.3,<8.3.9|8.3.9|>=8.4,<8.4.8|8.4.8|>=8.5,<8.5.15|8.5.15|>=8.6,<8.6.16|>=8.7,<8.7.5
Could be reduced to:
<8.6|>=8.6,<8.6.16|>=8.7,<8.7.5
I notice that the latest security release from yesterday hasn't popped up yet.
I did also notice that Drupal is one fix release behind and that the whole 10 branch is missing from tracking.
Are there any plans for maintaining the Drupa l10 version with this tool?
Last August there was an SA for the Forms Steps module (https://www.drupal.org/sa-contrib-2019-064).
In our CI pipeline, we tried using version 1.1 of the Forms Steps project with drush pm:security
in hope to list that a security update was required, but we would not get any results.
I did some investigation with xdebug and I found out that the drush pm:security
command use the content of this file (https://github.com/drupal-composer/drupal-security-advisories/blob/8.x-v2/composer.json) from this project to compare it against your project installed modules.
From my understanding it should have been in there, but I'm not sure what is the process to get it in and if we can help in anyway?
Thanks!
Hi @webflo @weitzman @drumm
we recently forked this repo under our org, in an attempt to:
We have found no mention of the license in the code (only in the generated artifact).
We were wondering if you could make this project's license explicit as open source in order to avoid any legal issue by forking and using this project in our org.
I noticed today that I am able to install known-insecure versions of Drupal. Here's the basic composer.json
:
{
"require": {
"drupal-composer/drupal-security-advisories": "8.x-dev",
"drupal/core": "8.8.3"
}
}
And here's the steps that created that file and installed 8.8.3:
$ composer require drupal-composer/drupal-security-advisories:8.x-dev
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
- Installing drupal-composer/drupal-security-advisories (8.x-dev 413d689)
Writing lock file
Generating autoload files
$ composer require drupal/core:8.8.3
1/2: http://repo.packagist.org/p/provider-latest$d5afd90b02bfbb6d8156c98fadffd5a4b6dcad75f12e2ae09a0f3dd542122f0b.json
2/2: http://repo.packagist.org/p/provider-2020-01$f68a8a70594e85cc5d3310b12ad04413d62ea226078a785ee9727918e5c444f2.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
1/1: https://codeload.github.com/drupal/core/legacy.zip/77971de6d6ade7366cdd3fadfc16c5d02e531446
Finished: success: 1, skipped: 0, failure: 0, total: 1
Package operations: 57 installs, 0 updates, 0 removals
- Installing pear/pear_exception (v1.0.1): Loading from cache
- Installing pear/console_getopt (v1.4.3): Loading from cache
- Installing pear/pear-core-minimal (v1.10.10): Loading from cache
- Installing pear/archive_tar (1.4.9): Loading from cache
- Installing psr/log (1.1.3): Loading from cache
- Installing symfony/polyfill-ctype (v1.17.0): Loading from cache
- Installing symfony/polyfill-mbstring (v1.17.0): Loading from cache
- Installing symfony/polyfill-php72 (v1.17.0): Loading from cache
- Installing symfony/polyfill-intl-idn (v1.17.0): Loading from cache
- Installing symfony/debug (v4.4.8): Loading from cache
- Installing psr/container (1.0.0): Loading from cache
- Installing symfony/polyfill-util (v1.17.0): Loading from cache
- Installing symfony/polyfill-php56 (v1.17.0): Loading from cache
- Installing paragonie/random_compat (v9.99.99): Loading from cache
- Installing symfony/polyfill-php70 (v1.17.0): Loading from cache
- Installing symfony/http-foundation (v3.4.40): Loading from cache
- Installing symfony/event-dispatcher (v3.4.40): Loading from cache
- Installing symfony/http-kernel (v3.4.40): Loading from cache
- Installing asm89/stack-cors (1.3.0): Loading from cache
- Installing composer/semver (1.5.1): Loading from cache
- Installing psr/http-message (1.0.1): Loading from cache
- Installing zendframework/zend-diactoros (1.8.7): Loading from cache
- Installing symfony/psr-http-message-bridge (v1.2.0): Loading from cache
- Installing masterminds/html5 (2.7.0): Loading from cache
- Installing doctrine/lexer (1.2.0): Loading from cache
- Installing egulias/email-validator (2.1.17): Loading from cache
- Installing stack/builder (v1.0.6): Loading from cache
- Installing zendframework/zend-stdlib (3.2.1): Loading from cache
- Installing zendframework/zend-escaper (2.6.1): Loading from cache
- Installing zendframework/zend-feed (2.12.0): Loading from cache
- Installing easyrdf/easyrdf (0.9.1): Loading from cache
- Installing symfony/routing (v3.4.40): Loading from cache
- Installing symfony-cmf/routing (1.4.1): Loading from cache
- Installing ralouphie/getallheaders (3.0.3): Loading from cache
- Installing guzzlehttp/psr7 (1.6.1): Loading from cache
- Installing guzzlehttp/promises (v1.3.1): Loading from cache
- Installing guzzlehttp/guzzle (6.5.3): Loading from cache
- Installing doctrine/annotations (1.10.2): Loading from cache
- Installing doctrine/reflection (1.2.1): Loading from cache
- Installing doctrine/event-manager (1.1.0): Loading from cache
- Installing doctrine/collections (1.6.4): Loading from cache
- Installing doctrine/cache (1.10.0): Loading from cache
- Installing doctrine/persistence (1.3.7): Loading from cache
- Installing doctrine/inflector (1.4.1): Loading from cache
- Installing doctrine/common (2.13.0): Loading from cache
- Installing twig/twig (v1.42.5): Loading from cache
- Installing typo3/phar-stream-wrapper (v3.1.4): Loading from cache
- Installing symfony/yaml (v3.4.40): Loading from cache
- Installing symfony/polyfill-iconv (v1.17.0): Loading from cache
- Installing symfony/process (v3.4.40): Loading from cache
- Installing symfony/translation (v3.4.40): Loading from cache
- Installing symfony/validator (v3.4.40): Loading from cache
- Installing symfony/serializer (v3.4.40): Loading from cache
- Installing symfony/dependency-injection (v3.4.40): Loading from cache
- Installing symfony/console (v3.4.40): Loading from cache
- Installing symfony/class-loader (v3.4.40): Loading from cache
- Installing drupal/core (8.8.3): Loading from cache
pear/archive_tar suggests installing ext-xz (Lzma2 compression support.)
paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.)
symfony/http-kernel suggests installing symfony/browser-kit
symfony/http-kernel suggests installing symfony/config
symfony/http-kernel suggests installing symfony/finder
symfony/http-kernel suggests installing symfony/var-dumper
symfony/psr-http-message-bridge suggests installing nyholm/psr7 (For a super lightweight PSR-7/17 implementation)
zendframework/zend-feed suggests installing zendframework/zend-cache (Zend\Cache component, for optionally caching feeds between requests)
zendframework/zend-feed suggests installing zendframework/zend-db (Zend\Db component, for use with PubSubHubbub)
zendframework/zend-feed suggests installing zendframework/zend-http (Zend\Http for PubSubHubbub, and optionally for use with Zend\Feed\Reader)
zendframework/zend-feed suggests installing zendframework/zend-servicemanager (Zend\ServiceManager component, for easily extending ExtensionManager implementations)
zendframework/zend-feed suggests installing zendframework/zend-validator (Zend\Validator component, for validating email addresses used in Atom feeds and entries when using the Writer subcomponent)
easyrdf/easyrdf suggests installing ml/json-ld (~1.0)
symfony/routing suggests installing symfony/config (For using the all-in-one router or any loader)
symfony/routing suggests installing symfony/expression-language (For using expression matching)
guzzlehttp/psr7 suggests installing zendframework/zend-httphandlerrunner (Emit PSR-7 responses)
doctrine/cache suggests installing alcaeus/mongo-php-adapter (Required to use legacy MongoDB driver)
symfony/translation suggests installing symfony/config
symfony/validator suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/validator suggests installing symfony/intl
symfony/validator suggests installing symfony/config
symfony/validator suggests installing symfony/property-access (For accessing properties within comparison constraints)
symfony/validator suggests installing symfony/expression-language (For using the Expression validator)
symfony/serializer suggests installing psr/cache-implementation (For using the metadata cache.)
symfony/serializer suggests installing symfony/property-info (To deserialize relations.)
symfony/serializer suggests installing symfony/config (For using the XML mapping loader.)
symfony/serializer suggests installing symfony/property-access (For using the ObjectNormalizer.)
symfony/dependency-injection suggests installing symfony/config
symfony/dependency-injection suggests installing symfony/finder (For using double-star glob patterns or when GLOB_BRACE portability is required)
symfony/dependency-injection suggests installing symfony/expression-language (For using expressions in service container configuration)
symfony/dependency-injection suggests installing symfony/proxy-manager-bridge (Generate service proxies to lazy load them)
symfony/console suggests installing symfony/lock
symfony/class-loader suggests installing symfony/polyfill-apcu (For using ApcClassLoader on HHVM)
Package zendframework/zend-diactoros is abandoned, you should avoid using it. Use laminas/laminas-diactoros instead.
Package zendframework/zend-stdlib is abandoned, you should avoid using it. Use laminas/laminas-stdlib instead.
Package zendframework/zend-escaper is abandoned, you should avoid using it. Use laminas/laminas-escaper instead.
Package zendframework/zend-feed is abandoned, you should avoid using it. Use laminas/laminas-feed instead.
Writing lock file
Generating autoload files
24 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
The conflict line in composer.lock
currently is:
"drupal/core": "<8.0.0-beta2,<8.0.4,<8.1.3,<8.1.7,<8.1.10,<8.2.3,<8.2.7,<8.2.8,<8.3.1,<8.3.4,<8.3.7,<8.3.9,<8.4.6,<8.4.7,<8.4.8,<8.5.1,<8.5.2,<8.5.3,<8.5.6,<8.5.8,<8.5.9,<8.5.11,<8.5.14,<8.5.15,<8.6.2,<8.6.6,<8.6.10,<8.6.13,<8.6.15,<8.6.16,<8.7.0-rc1,<8.7.1,<8.7.5,<8.7.11,<8.7.12,<8.7.14,<8.8.1,<8.8.4,<8.8.6",
It looks like the problem occurs as soon as there is a constraint that is less than the selected version.
"conflict": {
"drupal/core": "<8.8.3,<8.8.4,<8.8.6"
},
Allows 8.8.3, while:
"conflict": {
"drupal/core": "<8.8.4,<8.8.6"
},
does not.
Luckily drush pm:security
does pick up the SA, so I imagine most Drupal users are not unknowingly running insecure versions.
I think the problem is the use of a straight and
in conflict, as noted in the composer docs. I get the correct behaviour with:
"drupal/core": "<8.7.14 || >8.8.0 <8.8.6"
which allows 8.7.14 and 8.8.6, but nothing else.
https://raw.githubusercontent.com/drupal-composer/drupal-security-advisories/8.x-v2/composer.json
Security update for 8.7.1 has been released and the list here has not updated to reflect this:
drupal/core: "8.0-alpha2|8.0-alpha3|8.0-alpha4|8.0-alpha5|8.0-alpha6|8.0-alpha7|8.0-alpha8|8.0-alpha9|8.0-alpha10|8.0-alpha11|8.0-alpha12|8.0-alpha13|8.0.0|8.0.0-alpha14|8.0.0-alpha15|8.0.0-beta1|8.0.0-beta2|8.0.0-beta3|8.0.0-beta4|8.0.0-beta6|8.0.0-beta7|8.0.0-beta9|8.0.0-beta10|8.0.0-beta11|8.0.0-beta12|8.0.0-beta13|8.0.0-beta14|8.0.0-beta15|8.0.0-beta16|8.0.0-rc1|8.0.0-rc2|8.0.0-rc3|8.0.0-rc4|8.0.1|8.0.2|8.0.3|8.0.4|8.0.5|8.0.6|8.1.0|8.1.0-beta1|8.1.0-beta2|8.1.0-rc1|8.1.1|8.1.2|8.1.3|8.1.4|8.1.5|8.1.6|8.1.7|8.1.8|8.1.9|8.1.10|8.2.0|8.2.0-beta1|8.2.0-beta2|8.2.0-beta3|8.2.0-rc1|8.2.0-rc2|8.2.1|8.2.2|8.2.3|8.2.4|8.2.5|8.2.6|8.2.7|8.2.8|8.3.0|8.3.0-alpha1|8.3.0-beta1|8.3.0-rc1|8.3.0-rc2|8.3.1|8.3.2|8.3.3|8.3.4|8.3.5|8.3.6|8.3.7|8.3.8|8.3.9|8.4.0|8.4.0-alpha1|8.4.0-beta1|8.4.0-rc1|8.4.0-rc2|8.4.1|8.4.2|8.4.3|8.4.4|8.4.5|8.4.6|8.4.7|8.4.8|8.5.0|8.5.0-alpha1|8.5.0-beta1|8.5.0-rc1|8.5.1|8.5.2|8.5.3|8.5.4|8.5.5|8.5.6|8.5.7|8.5.8|8.5.9|8.5.10|8.5.11|8.5.12|8.5.13|8.5.14|8.6.0|8.6.0-alpha1|8.6.0-beta1|8.6.0-beta2|8.6.0-rc1|8.6.1|8.6.2|8.6.3|8.6.4|8.6.5|8.6.6|8.6.7|8.6.8|8.6.9|8.6.10|8.6.11|8.6.12|8.6.13|8.6.14|8.7.0-alpha1|8.7.0-alpha2|8.7.0-beta1|8.7.0-beta2|>=8.0,<8.0.0-beta2|>=8.0,<8.0.4|>=8.1,<8.1.3|>=8.1,<8.1.7|>=8.1,<8.1.10|>=8.2,<8.2.3|>=8.2,<8.2.7|>=8.2,<8.2.8|>=8.3,<8.3.1|>=8.3,<8.3.4|>=8.3,<8.3.7|>=8.3,<8.3.9|>=8.4,<8.4.6|>=8.4,<8.4.7|>=8.4,<8.4.8|>=8.5,<8.5.1|>=8.5,<8.5.2|>=8.5,<8.5.3|>=8.5,<8.5.6|>=8.5,<8.5.8|>=8.5,<8.5.9|>=8.5,<8.5.11|>=8.5,<8.5.14|>=8.5,<8.5.15|>=8.6,<8.6.2|>=8.6,<8.6.6|>=8.6,<8.6.10|>=8.6,<8.6.13|>=8.6,<8.6.15|>=8.7,<8.7.0-rc1",
As of today the list for easy_breadcrumb looks like this https://github.com/drupal-composer/drupal-security-advisories/blob/6a96e7ef3da0583aef70579bb1c9d927928bbeeb/composer.json
But anything below <2.0.0 is not supported according to Drupal.org package and module update UI: https://www.drupal.org/project/easy_breadcrumb
https://www.drupal.org/node/2863103
Added more meta data to project status info - possibly should flag not-opted-in projects as well as known insecure ones?
Hi,
I stumble into your package when analysing drush code (https://github.com/drush-ops/drush/blob/10.x/src/Commands/pm/SecurityUpdateCommands.php#L101) but I didn't find any reference in drupal.org.
Since it's about security, IMHO this repo and the drush mechanism should be documented in drupal.org and in the update status page (https://www.drupal.org/drupalorg/docs/apis/update-status-xml).
Also, even if the contributors are well know members of the community, this repo should be moved into the official one (https://github.com/drupal) to reassure everyone, no ?
One last remark, since the default branch is not updated at each security update, the project seems outdated.
Because there is a composer.json
in the master branch, composer thinks that you can update to a newer version if you are on 8.x, for example.
This would be solved, I think, if the composer.json
were removed from the master branch. It doesn't serve any practical purpose anyway, as far as I can tell...
Let's say a contrib module moves from having active support of both a 1.x
and 2.x
branch, but 1.x
reaches EOL. Can we include a constraint for ^1
? That would allow tools like drush sec
to flag these versions as unsupported, even if there is not a corresponding security issue/release prompting its inclusion.
Similar in spirit to #7 but only for branches.
drupal-security-advisories/README.md
Line 12 in e8713d1
This line produces an error because the alias doesn't exist, I believe it should read
composer require drupal-composer/drupal-security-advisories:9.x-dev
Cross posting this: drush-ops/drush#3731
Drupal advisories are not correctly formatted in this repo which causes drush to provide inconsistent output.
The 8.x-v2 branch which is currently used by drush pm:security
is out of date, with the last commit on May 8.
The branch which is used for drush pm:security is out-of-date, it does not add Drupal 8.9.17 as conflict
GraphQL version 3 is incorrectly marked as a conflict in this project, this causes issues with composer when trying to update existing dependencies or install new dependencies. The conflict is marked here:
drupal-security-advisories/composer.json
Line 49 in 432c09b
In the security advisory it's mentioned that the 3.x branch is not affected by the issue:
The 8.x-3.x branch is not affected by this issue.
Out of curiosity, why not use the same logic and APIs to build a static composer.json file like roave/security-advisories and set a cron job to update it. That way it can avoid the API calls.
As I understand it, it would be pretty easy to start the 9.x-v2 by copying the 8.x-v2 branch and enabling it on the build-v2 branch build.sh file: https://github.com/drupal-composer/drupal-security-advisories/blob/build-v2/build/build.sh.
Can we get this done?
"Security team only — this specific release is insecure, due to a future version being a security release."
https://www.drupal.org/taxonomy/term/188131
API Call: https://www.drupal.org/api-d7/node.json?
type=project_release&taxonomy_vocabulary_7=188131&field_release_build_type=static
Hi,
As spotted by you, currently the generated composer file uses the version scheme from https://packagist.drupal-composer.org/ and not from drupal.org.
It causes issues when using drupal-composer/drupal-security-advisories with
"repositories": [
{
"type": "composer",
"url": "https://packages.drupal.org/8"
}
],
For example, the constraint on editor_file
is set to <8.1.2
instead of 1.2
.
Thx,
Hello, I think is commit 982a740 has just caused an issue
Im getting this error:
drupal-composer/drupal-security-advisories 9.x-dev conflicts with drupal/core 10.0.11.
I wasnt geting this error before that commit was made as I did an install earlier today and was fine
As far as I can tell from the composer.json
file, drupal-security-advisories
only verifies contributes modules and not Drupal core nor themes.
Ideally it would also verify Drupal core and contributed themes but if this is not possible then it would be useful to document the scope of the tool.
Hi,
Seeing Drush releases notes, I have tried to update my requirement in my project composer.json
"drupal-composer/drupal-security-advisories": "dev-9.x",
But it ended with:
Problem 1
- Root composer.json requires drupal-composer/drupal-security-advisories dev-9.x, found drupal-composer/drupal-security-advisories[dev-7.x-v2, dev-8.x-v2, 7.x-dev, 8.x-dev, 9.x-dev] but it does not match the constraint.
It seems that there is no dev-9.x alias for this branch.
README needs to be updated.
Examples are
API Call: https://www.drupal.org/api-d7/node.json?field_security_advisory_coverage=revoked
I appears that the 8.x branch of this project simply includes a static composer.json file. Are there plans to build out the 8.x branch to provide dynamic checks for security advisories?
Drupal 8.6.2
Drush 9.5.2
Looking at https://github.com/drupal-composer/drupal-security-advisories/blob/8.x/composer.json, here's three modules with insecure versions:
"conflict": {
"drupal/acquia_contenthub": "<1.0,<1.4",
...
"drupal/ds": "<2.7,<3.0",
...
"drupal/jsonapi": "<1.9,<1.10,<1.14,<1.16,<1.24,<2.0-rc4",
This package prevents installing insecure versions of the first two, but not for drupal/jsonapi
.
$ composer require drupal-composer/drupal-security-advisories:8.x-dev
1/1: https://packages.drupal.org/8/drupal/provider-2018-4$a61ccb51d6803b735c3d76aa432c311ddd71f8204fc00e31195c4b3850d40dcd.json
Finished: success: 1, skipped: 0, failure: 0, total: 1
1/6: http://repo.packagist.org/p/provider-latest$8b008b9e1c52779ab8fd94ac6d1ddfedd0d7bbbdb9860b529b05e6262a27048b.json
2/6: http://repo.packagist.org/p/provider-2018$f41ad57c1f6d56528ce5748c9ff4be7be718496868ec77f2288af0e4b651e17d.json
3/6: http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
4/6: http://repo.packagist.org/p/provider-2018-07$0e729e9dbdd73b16ab3cd794a225dd4d9071d950483181fdeaa4a55a4f148047.json
5/6: http://repo.packagist.org/p/provider-2018-10$bec2a0a105145564e32fc6ef746ebd540433d6a660f549297d3ea999e3876be3.json
6/6: http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
Finished: success: 6, skipped: 0, failure: 0, total: 6
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 0 updates, 1 removal
- Removing drupal/jsonapi (1.23.0)
Deleting docroot/modules/contrib/jsonapi - deleted
Generating autoload files
$ composer require 'drupal/acquia_contenthub:1.3'
1/2: https://packages.drupal.org/8/drupal/provider-2018-4$00245c276cfe524b6b0aa708fb68200ede3b74ea02c63eb4007f90c54b513736.json
2/2: https://packages.drupal.org/8/drupal/provider-2019-1$f15d2f9a3bd815dfad083d90557803aa1a46ab9e72deadf1e9fe713a7f61c37c.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
1/7: http://repo.packagist.org/p/provider-latest$e802437252ac204e63320fb692aa0049f191adfe826b975c1663d2daf5e2ef3c.json
2/7: http://repo.packagist.org/p/provider-2018-04$deafa8326236cb16301be545ff204760e8b30bd2ab7395d0416e7015874a8913.json
3/7: http://repo.packagist.org/p/provider-2018$52b471ed75985c54e4108088a3cf35236da2765d60bf2d6b224bdf425f1abc71.json
4/7: http://repo.packagist.org/p/provider-2018-07$e26e5dad35649ca5fabeab9f9454e60164017d81b0911522b7335bc0a23249a1.json
5/7: http://repo.packagist.org/p/provider-2018-10$b0feb1d58346c505da5ae7cda4d50b6a819399866503b8cfa921787b3c6addd2.json
6/7: http://repo.packagist.org/p/provider-2017$309d183dd2c45d429711f53067ad0e2a386b934dd2126c25f6c51e777a30ff07.json
7/7: http://repo.packagist.org/p/provider-2016$3ebaeca74c4c7ef4af1a514ff3eb3354e8ecec97331eec58b40a9e7adac03202.json
Finished: success: 7, skipped: 0, failure: 0, total: 7
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.
Problem 1
- drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
- drupal/acquia_contenthub 1.3.0 requires acquia/content-hub-php dev-master -> no matching package found.
- Installation request for drupal/acquia_contenthub 1.3 -> satisfiable by drupal/acquia_contenthub[1.3.0].
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to your minimum-stability setting
see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
- It's a private package and you forgot to add a custom repository to find it
Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.
Installation failed, reverting ./composer.json to its original content.
$ composer require 'drupal/ds:2.6'
1/1: https://packages.drupal.org/8/drupal/provider-2019-1$3f231306589fb84ccba9b3b5a171827af1a84bc46487147582bd49afeb7b6e0b.json
Finished: success: 1, skipped: 0, failure: 0, total: 1
1/5: http://repo.packagist.org/p/provider-latest$4540a197e56286f08d8f79c96097640279d1f706d3096730a45787cb7b2a6d21.json
2/5: http://repo.packagist.org/p/provider-2018-04$b4158682ed5588732bab4286ac3bb91a40dd7131367c4c2d0d6a882ce97a1162.json
3/5: http://repo.packagist.org/p/provider-2018$eb2ececaf43cfba88cd840307ef1b0aa8e3851840fe22ec79ebbd730b0f9fc2e.json
4/5: http://repo.packagist.org/p/provider-2018-07$2c2d1aa78b29509d891d23fce313833bb64919b296e15435b7e4091d1a42c26d.json
5/5: http://repo.packagist.org/p/provider-2018-10$c0eb49eb0ede88abe51609a1a94d0f3234ce2756f2cce475c001f9d41f96cb8c.json
Finished: success: 5, skipped: 0, failure: 0, total: 5
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Conclusion: remove drupal-composer/drupal-security-advisories 8.x-dev
- Conclusion: don't install drupal-composer/drupal-security-advisories 8.x-dev
- drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
- drupal/ds 2.6.0 conflicts with drupal-composer/drupal-security-advisories[8.x-dev].
- Installation request for drupal-composer/drupal-security-advisories 8.x-dev -> satisfiable by drupal-composer/drupal-security-advisories[8.x-dev].
- Installation request for drupal/ds 2.6 -> satisfiable by drupal/ds[2.6.0].
Installation failed, reverting ./composer.json to its original content.
$ composer require 'drupal/jsonapi:1.23'
1/2: http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
2/2: http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
./composer.json has been updated
1/2: http://repo.packagist.org/p/provider-latest$5345b6f665a312ce19872c121c8e6ba8220625eb1483c5b22b03d7b600176d41.json
2/2: http://repo.packagist.org/p/provider-2018-10$16e4d3f11a5e9d600ba46d9031273c1a806d137094f6a3afa6c26de793d99092.json
Finished: success: 2, skipped: 0, failure: 0, total: 2
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
- Installing drupal/jsonapi (1.23.0): Loading from cache
Writing lock file
Generating autoload files
$ composer require 'drupal/jsonapi:1.20'
./composer.json has been updated
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
- Downgrading drupal/jsonapi (1.23.0 => 1.20.0): Loading from cache
Writing lock file
Generating autoload files
Am I missing something, or is this a bug?
Thank you!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.