New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bunch of dependencies have security vulnerabilities #5233
Comments
Hello @hostep, Thank you for reporting this. You pointed out an important topic we are aware of. We plan to fix it but I can't give you an estimate time of resolution. If you are interested, you could contribute by opening a pull request on the master branch. We would be happy to help you by reviewing your fix and by taking care of all the tests. All you need to know is on our contribution guide: https://docs.akeneo.com/1.6/contributing/contribution_guide.html Regards, |
Hi Fabien Here is some info you might find interesting, if I change these version contstraints of the diff --git a/composer.json b/composer.json
index 2c27f5e..20477bc 100644
--- a/composer.json
+++ b/composer.json
@@ -23,16 +23,16 @@
"php": ">=5.6.0",
"apy/jsfv-bundle": "2.0.1",
"ass/xmlsecurity": "1.1.1",
- "doctrine/annotations": "1.2.6",
+ "doctrine/annotations": "1.2.*",
"doctrine/cache": "1.6.0",
- "doctrine/common": "2.4.2",
+ "doctrine/common": "2.4.*",
"doctrine/data-fixtures": "1.0.0",
- "doctrine/doctrine-bundle": "1.2.0",
+ "doctrine/doctrine-bundle": "^1.2",
"doctrine/doctrine-fixtures-bundle": "2.2.0",
"doctrine/doctrine-migrations-bundle": "1.1.0",
"doctrine/migrations": "1.2.2",
- "doctrine/orm": "2.4.7",
- "dompdf/dompdf" : "0.6.1",
+ "doctrine/orm": "2.4.*",
+ "dompdf/dompdf" : "0.6.*",
"escapestudios/wsse-authentication-bundle": "2.0.2",
"friendsofsymfony/jsrouting-bundle": "1.5.4",
"friendsofsymfony/rest-bundle": "0.12.0",
@@ -57,7 +57,7 @@
"symfony/assetic-bundle": "2.3.1",
"symfony/monolog-bundle": "2.10.0",
"symfony/swiftmailer-bundle": "2.3.8",
- "symfony/symfony": "2.7.2",
+ "symfony/symfony": "2.7.*",
"twig/extensions": "1.2.0",
"box/spout": "2.5.0"
}, I mostly used the There now is still one dependency with a security vulnerability:
I could create a PR for all this, but I feel like I have too little knowledge of all the ins and outs of Akeneo to be sure that none of these updates will break something... Maybe it's also an idea that with the updates to these particular dependencies that all the other dependencies are getting reviewed and are being replaced with the version constraint: |
Hello @hotstep, Thank you a lot for your answer! In addition to my previous message, I gathered further information by discussing with our product team: We know that some of our vendors should be updated. In order to achieve this, we have to keep in mind the following matters:
These tasks can be very time consuming, and we are aware that it's necessary. For now, you can suggest a pull request with an upgraded "composer.json" file on the master branch. But we only accept explicit versions (for instance 2.7.17 instead of 2.7.*). We will later perform tests and adjustments I mentioned, but I can't tell you in which upcoming PIM version it will be available. @wakqasahmed reported a related demand: #5300 Regards, |
Hello, as of today this issue is not fully solved, even on the latest We are aware of theses security warnings and plan to fix all of them on the next release. More, we'll add a new check in our continuous integration process to include the security advisor checker from SensioLabs. Thanks again for your feedback. |
Hello,
When will this be fixed? (for 2.3) Why not allow at least minor updates/bugfix releases via "~3.4.*" in composer.json? |
Hello! I close this issue resolve, feel free to reopen it if you still have an error. Regards, |
Hi guys
We currently maintain two Akeneo installations, one with version v1.4.27 and another with version v1.5.12.
Today I decided to upload the composer.lock file of both these projects to https://security.sensiolabs.org/check
Both of these projects currently have 9 dependencies with security vulnerabilities.
I notice most (not all) of these old dependencies which get reported are still being used on the master branch of this project, so that's not really good I think.
Is there a possibility you could update your dependencies to a patched version and then backport these updates to v1.5 & v1.4 if possible?
Thanks!
The text was updated successfully, but these errors were encountered: