No PHP 8.3 compatible version of lcobucci/clock installable

[leofeyer]

Affected version(s)

5.3

Description

When I upgraded from PHP 8.2 to 8.3, I noticed that Composer downgraded lcobucci/clock from version 2.3.0 to 2.2.0. I analyzed why, and this is the situation:

Before version 2.3.0, the package had a php: ^8.0 requirement. But in version 2.3.0, presumably when PHP 8.3 was released, the requirement was narrowed to "php": "~8.1.0 || ~8.2.0" (see lcobucci/clock#680). And "~8.3.0" was only added in version 3.2.0, so a new major version.

We don‘t directly use lcobucci/clock, but it is a dependency of lcobucci/jwt which we use in version "^4.0". However, the new major version of lcobucci/clock is only allowed in version 5 of lcobucci/jwt, so again a new major version.

To fix this, we would have to allow "lcobucci/jwt": "^4.0 || ^5.0" in our composer.json. Our code seems to be compatible with both versions. However, there is a conflict ">=4.2.0" in our contao/conflicts package which prevents the installation of version 5.0. 🙈

I don't remember why we added the conflict, but I assume it has to do with a BC break in version 4.2.0. Maybe something with key lengths? @fritzmg Do you recall?

So if someone uses Contao with PHP 8.3, they get an outdated and apparently incompatible version of lcobucci/clock and there is nothing they can do about it. Therefore we should upgrade lcobucci/jwt to version 5 as soon as possible.

[fritzmg]

The conflict was added by @bytehead in contao/conflicts#43 because of #5693

I am not entirely sure if we still need that. It's only an issue, if your kernel secret is not long enough - is that correct?

[ausi]

If I interpret #5693 (comment) correctly, it seems that we can remove that conflict and afterwards update to "lcobucci/jwt": "^4.0 || ^5.0"

[leofeyer]

I think so. The conflict was added for non-managed installations that still use ThisTokenIsNotSoSecretChangeIt as kernel secret. These should be few and they are broken anyway due to the too short default secret.

[aschempp]

What about websites with existing secrets that are too short?

[leofeyer]

Contao has auto-generated secrets since version 4.13 and these secrets are long enough. So the majority of installations should not be affected. Some older installations with too short secrets might break.

But at the moment the dependencies are broken for all users and we have to fix this. We cannot leave it broken for everyone just to avoid breaking a few.

[fritzmg]

We could add the conflict to the contao/manager-bundle in 4.13.39 before removing it from contao/conflicts, if we want to avoid breaking a few instances at least in 4.13. Not sure if that's worth it though.

[aschempp]

I don't think that's a minority of installations, because most are likely updated from even 4.9 or older, and these will have a too-short secret as well. Should we maybe consider something like an automatic migration? Update the APP_SECRET and store the old one somewhere (for encryption issues)?

[fritzmg]

and these will have a too-short secret as well

Not necessarily. Before our APP_SECRET generation the Contao Install Tool was responsible for the automatic generation of the secret parameter since Contao 4.3.5 - and the Contao Install Tool always created secrets of a sufficient length:

contao/installation-bundle/src/Config/ParameterDumper.php

Line 92 in 0b42db3

$this->parameters['parameters']['secret'] = bin2hex(random_bytes(32));

Your secret will only be too short if you yourself manually set one with less than 32 characters in the past, regardless of the Contao version (at least since 4.3.5).

So in all likelyhood most Contao instances should have a secret of sufficient length.

[de-es]

Mit dem Update von lcobucci/jwt auf v5 wird neu ext-sodium als PHP Extension vorausgesetzt. Nicht, dass man das nicht lösen könnte, aber es kam beim Update auf 5.3.2 gerade etwas überraschend.

[fritzmg]

@de-es not sure what you mean, because the requirement still allows v4.

[fritzmg]

@de-es besides, v4.1+ already required ext-sodium - so whatever issues you might have, it is not related to this.

[de-es]

@fritzmg Contao 5.3.0/1 (Neuinstallation - PHP 8.3) wurde bei mir mit lcobucci/jwt = 4.0.4 installiert. Composer wollte jetzt nicht auf 5.3.2 updaten, weil ext-sodium nicht installiert war. Nach der Installation der Extension habe ich nun automatisch 5.2.0 von lcobucci/jwt.

[fritzmg]

Composer wollte jetzt nicht auf 5.3.2 updaten, weil ext-sodium nicht installiert war.

You should seek help in the Contao community about this issue.

[de-es]

Ich weiß, wie ich das Problem für mich lösen kann. 😀 Wollte das nur als Hinweis hier lassen, falls in den nächsten Tagen andere über das selbe Problem stolpern.

Gerade testweise nochmal ext-sodium deaktiviert und Contao versucht, zu installieren:

> composer create-project contao/managed-edition contao-test53 5.3                                                                                                                                                                                                                                      ✔ 
Creating a "contao/managed-edition" project at "./contao-test53"
Installing contao/managed-edition (5.3)
  - Downloading contao/managed-edition (5.3)
  - Installing contao/managed-edition (5.3): Extracting archive
Created project in /srv/contao/contao-test53
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - contao/newsletter-bundle 5.3.2 requires contao/core-bundle 5.3.2 -> satisfiable by contao/core-bundle[5.3.2].
    - contao/newsletter-bundle 5.3.1 requires contao/core-bundle 5.3.1 -> satisfiable by contao/core-bundle[5.3.1].
    - contao/newsletter-bundle 5.3.0 requires contao/core-bundle 5.3.0 -> satisfiable by contao/core-bundle[5.3.0].
    - contao/core-bundle[5.3.0, ..., 5.3.2] require scheb/2fa-trusted-device ^6.0 -> satisfiable by scheb/2fa-trusted-device[v6.0.0, ..., v6.12.0].
    - scheb/2fa-trusted-device[v6.10.0, ..., v6.12.0] require lcobucci/jwt ^4.1 || ^5.0 -> satisfiable by lcobucci/jwt[4.1.0, ..., 4.3.0, 5.0.0, 5.1.0, 5.2.0].
    - scheb/2fa-trusted-device[v6.0.0, ..., v6.3.0] require php ~8.0.0 || ~8.1.0 -> your php version (8.3.3) does not satisfy that requirement.
    - scheb/2fa-trusted-device[v6.4.0, ..., v6.9.0] require php ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
    - lcobucci/jwt[4.1.0, ..., 4.3.0, 5.1.0, ..., 5.2.0] require ext-sodium * -> it is missing from your system. Install or enable PHP's sodium extension.
    - lcobucci/jwt 5.0.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.3.3) does not satisfy that requirement.
    - Root composer.json requires contao/newsletter-bundle ^5.3 -> satisfiable by contao/newsletter-bundle[5.3.0, 5.3.1, 5.3.2].

To enable extensions, verify that they are enabled in your .ini files:
    - /etc/php/php.ini
You can also run `php --ini` in a terminal to see which files are used by PHP in CLI mode.
Alternatively, you can run Composer with `--ignore-platform-req=ext-sodium` to temporarily ignore these required extensions.

Sollten wir dann nicht ggf. die Systemvoraussetzungen aktualisieren?

[fritzmg]

@de-es this only applies for PHP 8.3 (due to lcobucci/jwt's requirements). Anyway, it looks like ext-sodium is only a soft dependency for lcobucci/jwt and should probably fixed there.

[ausi]

Anyway, it looks like ext-sodium is only a soft dependency for lcobucci/jwt and should probably fixed there.

See lcobucci/jwt#1051

[ausi]

Sollten wir dann nicht ggf. die Systemvoraussetzungen aktualisieren?

As lcobucci/jwt#1051 was not merged, I think we should, yes.

[fritzmg]

See contao/docs#1363