-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No PHP 8.3 compatible version of lcobucci/clock
installable
#6983
Comments
The conflict was added by @bytehead in contao/conflicts#43 because of #5693 I am not entirely sure if we still need that. It's only an issue, if your kernel secret is not long enough - is that correct? |
If I interpret #5693 (comment) correctly, it seems that we can remove that conflict and afterwards update to |
I think so. The conflict was added for non-managed installations that still use |
What about websites with existing secrets that are too short? |
Contao has auto-generated secrets since version 4.13 and these secrets are long enough. So the majority of installations should not be affected. Some older installations with too short secrets might break. But at the moment the dependencies are broken for all users and we have to fix this. We cannot leave it broken for everyone just to avoid breaking a few. |
We could add the conflict to the |
I don't think that's a minority of installations, because most are likely updated from even 4.9 or older, and these will have a too-short secret as well. Should we maybe consider something like an automatic migration? Update the APP_SECRET and store the old one somewhere (for encryption issues)? |
Not necessarily. Before our
Your secret will only be too short if you yourself manually set one with less than 32 characters in the past, regardless of the Contao version (at least since 4.3.5). So in all likelyhood most Contao instances should have a secret of sufficient length. |
Mit dem Update von |
@de-es not sure what you mean, because the requirement still allows v4. |
@de-es besides, v4.1+ already required |
@fritzmg Contao 5.3.0/1 (Neuinstallation - PHP 8.3) wurde bei mir mit |
You should seek help in the Contao community about this issue. |
Ich weiß, wie ich das Problem für mich lösen kann. 😀 Wollte das nur als Hinweis hier lassen, falls in den nächsten Tagen andere über das selbe Problem stolpern. Gerade testweise nochmal
Sollten wir dann nicht ggf. die Systemvoraussetzungen aktualisieren? |
@de-es this only applies for PHP 8.3 (due to |
|
As lcobucci/jwt#1051 was not merged, I think we should, yes. |
See contao/docs#1363 |
Affected version(s)
5.3
Description
When I upgraded from PHP 8.2 to 8.3, I noticed that Composer downgraded
lcobucci/clock
from version 2.3.0 to 2.2.0. I analyzed why, and this is the situation:Before version 2.3.0, the package had a
php: ^8.0
requirement. But in version 2.3.0, presumably when PHP 8.3 was released, the requirement was narrowed to"php": "~8.1.0 || ~8.2.0"
(see lcobucci/clock#680). And"~8.3.0"
was only added in version 3.2.0, so a new major version.We don‘t directly use
lcobucci/clock
, but it is a dependency oflcobucci/jwt
which we use in version"^4.0"
. However, the new major version oflcobucci/clock
is only allowed in version 5 oflcobucci/jwt
, so again a new major version.To fix this, we would have to allow
"lcobucci/jwt": "^4.0 || ^5.0"
in our composer.json. Our code seems to be compatible with both versions. However, there is a conflict">=4.2.0"
in our contao/conflicts package which prevents the installation of version 5.0. 🙈I don't remember why we added the conflict, but I assume it has to do with a BC break in version 4.2.0. Maybe something with key lengths? @fritzmg Do you recall?
So if someone uses Contao with PHP 8.3, they get an outdated and apparently incompatible version of
lcobucci/clock
and there is nothing they can do about it. Therefore we should upgradelcobucci/jwt
to version 5 as soon as possible.The text was updated successfully, but these errors were encountered: