composer-update: emit trailing newline from build_pkg_arg#27
Merged
Conversation
expand_args_for() concatenates build_pkg_arg's output with find_direct_ancestors's; without a trailing newline on the build_pkg_arg side, the two streams collide on a single line — producing args like 'wordpress-no-content:~6.6.4roots/wordpress' — and for direct-dep packages there's no newline anywhere, so the consuming `while read` loop never executes and RETRY_ARGS ends up empty. Result: jakerakennus-new re-run still widened ^6.0 -> ^6.9 because the per-package retry was silently a no-op. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
oxyc
added a commit
that referenced
this pull request
May 19, 2026
…no version (#28) jakerakennus-new run with the prior fix (#27) still widened ^6.0 -> ^6.9. Root cause: composer audit gave roots/wordpress-no-content an affected range of `<=6.6.3`, so the PHP helper produced the heuristic next-patch constraint `~6.6.4` -- but WordPress never tagged 6.6.4 (the next release was 6.7.0). The tight retry found no matching version, the package landed in UNHANDLED, the widen step ran composer require -W roots/ wordpress unconstrained, and composer.json was rewritten. Add a second retry between tight and widen: derive a "same-major, not-affected" loose constraint `>=X.Y.Z, <(X+1).0.0` from the tight form and run composer update -W with it. composer can now pick the next published safe version (6.9.4 in this case) within composer.json's existing range, no widening needed. Guard against accepting a "fix" that doesn't actually fix the CVE: after the loose retry, run the new is-still-vulnerable.php helper to confirm the new locked version is OUT of every range in the package's `affected` field. Revert if not. composer audit normally blocks vulnerable picks, but `audit.block-insecure` defaults vary by project and we'd rather over-revert than ship a fake fix. For genuine widen-needed cases (constraint outside composer.json's range, e.g. gorans wordpress-no-content where ~6.6.0 doesn't allow any 6.8+ version), the loose retry still fails and the package falls through to the widen step with its existing downgrade-revert and dev-* rejection guards. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
oxyc
added a commit
that referenced
this pull request
May 29, 2026
… (+ test suite) (#35) * test(composer-update): unit + integration tests; extract helpers to lib.sh The composer-update logic had no tests and was fragile (every recent fix — #20–#31 — was a production-only discovery). Add a real test suite and make the logic testable. - Extract the helper functions (build_pkg_arg, build_widen_arg, find_direct_ancestors, loosen_constraint, is_still_vulnerable, expand_args_for, get_lock_version) from update.sh into a sourceable scripts/lib.sh. update.sh sources it; behavior is unchanged (the existing no-widen integration test still passes). - Unit tests for the PHP helpers (the fragile version-range logic): - compute-min-safe-constraints: exclusive/inclusive bounds, missing version components, multi-range selection, no-entry fall-throughs. - is-still-vulnerable: in/out of range, multi-range, junk-input fail-safe. - Unit tests for the bash helpers, each tied to the edge case it guards: #27 build_pkg_arg trailing newline, #29 build_widen_arg caret widen, #28 loosen_constraint, #22/#26 find_direct_ancestors BFS + expand_args_for. - Integration tests driving the real update.sh with a fake composer: #24 downgrade revert, #21 dev-* revert, #23 per-package retry isolation, #20 no-widen honored as a JSON array. (Plus the existing no-widen test.) - Fix surfaced by the tests: compute-min-safe-constraints emitted `[]` for an empty result, but update.sh string-indexes that map with `jq '.[$pkg]'`, which errors on a JSON array under `set -eo pipefail`. Encode as `{}`. - CI: composer-update-tests.yml now sets up PHP and runs tests/run.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(composer-update): inclusive-bound (<=) safe-version derivation skips 4-segment hotfixes compute-min-safe-constraints derived ~X.Y.(Z+1) for a <=X.Y.Z advisory. That skips a 4-segment hotfix like X.Y.Z.1, which is >X.Y.Z but <X.Y.(Z+1): the constraint matched no published version, the update no-opped, and the vuln went unpatched (no PR opened). Real case: suomentyokalu / seo-by-rank-math, advisory <=1.0.271, fixed in 1.0.271.1. The derived ~1.0.272 could not resolve. Emit >X.Y.Z,<X.(Y+1).0 instead — a strict-greater lower bound that matches the hotfix while still excluding the vulnerable boundary X.Y.Z, still minor-capped. Teach loosen_constraint() and build_widen_arg() the new range shape (major-cap widen/loosen, boundary stays excluded). Tests: regression case asserting <=1.0.271 -> >1.0.271,<1.1.0 plus Semver checks that 1.0.271.1 is reachable and 1.0.271 is excluded; updated existing <= assertions; helper-fn coverage for the range shape. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: test <test@example.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #26. The re-run on jakerakennus-new still widened
^6.0 → ^6.9because the per-package retry was silently a no-op.expand_args_for()concatenatesbuild_pkg_arg's output (no trailing newline) withfind_direct_ancestors's lines. Result:wordpress-no-content:~6.6.4roots/wordpress\n— one line, passed to composer as a single (invalid) arg.while readloop never executes andRETRY_ARGSstays empty.You can see both in the broken run's log:
Fix
Switch
build_pkg_argfromprintf '%s:%s'/printf '%s'to the\n-terminated forms.Test plan
roots/wordpressconstraint stays^6.0(not widened to^6.9) and the lock-level updates land as expected.🤖 Generated with Claude Code