Ignore and/or report invalid package names in github security advisories #209

Ocramius · 2020-10-20T08:26:25Z

GHSA-6gw4-x63h-5499 caused this to break (I had to contact the folks at @Sylius directly to get it fixed).

Basically, sylius\sylius was entered instead of sylius/sylius.

I think we can do two things:

fail the build completely (good first step)
ignore the packages and raise a warning (problematic, as we won't really notice it)

The text was updated successfully, but these errors were encountered:

slash3b · 2020-10-30T21:28:09Z

do you think it makes sense to implement a simple validator-corrector for package name ?

Ocramius · 2020-11-01T19:20:52Z

Thank you, @slash3b! \o/

Ocramius · 2020-11-01T19:27:04Z

do you think it makes sense to implement a simple validator-corrector for package name ?

This is already part of upstream composer tooling - I'm wondering if we should somehow notify github security about this problem in their feeds 🤔

slash3b · 2020-11-02T20:29:50Z

thank you, @Ocramius ^^

I did ask the one who published advisory to edit it. Waiting for a reply.

slash3b · 2020-11-07T13:43:21Z

It was corrected. We are good to go \o/

Ocramius · 2020-11-07T14:47:06Z

Yup, the problem is that this will happen again 😅

Ocramius added the bug label Oct 20, 2020

Ocramius mentioned this issue Nov 1, 2020

Issues/209 A quick possible fix for package name issue #236

Merged

Ocramius closed this as completed in #236 Nov 1, 2020

Provide feedback