[TASK] Replace former extension packages using self.version
The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: https://github.com/Roave/SecurityAdvisories/issues/127#issuecomment-1933647035 [1] https://getcomposer.org/doc/04-schema.md#replace [2] https://github.com/advisories/GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863 Tested-by:Oliver Klee <typo3-coding@oliverklee.de> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benjamin Franzke <ben@bnf.dev> Reviewed-by:
Showing
- typo3/sysext/backend/composer.json 8 additions, 8 deletionstypo3/sysext/backend/composer.json
- typo3/sysext/core/composer.json 3 additions, 3 deletionstypo3/sysext/core/composer.json
- typo3/sysext/info/composer.json 1 addition, 1 deletiontypo3/sysext/info/composer.json
- typo3/sysext/workspaces/composer.json 1 addition, 1 deletiontypo3/sysext/workspaces/composer.json
Please register or sign in to comment