[SecurityBundle]

[nathanjrobertson]

Symfony version(s) affected

7.2.3

Description

In doing a composer update on a Symfony 7.2 project with symfony/security-bundle installed, I get:

[...]
Run composer recipes at any time to see the status of your Symfony recipes.

Loading composer repositories with package information                                                                                                                                                                                  Restricting packages listed in "symfony/symfony" to "7.1.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires symfony/framework-bundle 7.2.* -> satisfiable by symfony/framework-bundle[v7.2.0, v7.2.1, v7.2.2, v7.2.3].
    - symfony/framework-bundle[v7.2.0, ..., v7.2.3] require symfony/dependency-injection ^7.2 -> found symfony/dependency-injection[v7.2.0, v7.2.3] but these were not loaded, likely because it conflicts with another require.
  Problem 2
    - Root composer.json requires symfony/security-bundle 7.2.* -> satisfiable by symfony/security-bundle[v7.2.0, v7.2.2, v7.2.3].
    - symfony/security-bundle[v7.2.0, ..., v7.2.3] require symfony/security-core ^7.2 -> found symfony/security-core[v7.2.0, v7.2.3] but these were not loaded, likely because it conflicts with another require.
  Problem 3
    - Root composer.json requires symfony/web-profiler-bundle 7.2.* -> satisfiable by symfony/web-profiler-bundle[v7.2.0, v7.2.2, v7.2.3].
    - symfony/framework-bundle[v7.2.0, ..., v7.2.3] require symfony/dependency-injection ^7.2 -> found symfony/dependency-injection[v7.2.0, v7.2.3] but these were not loaded, likely because it conflicts with another require.
    - symfony/web-profiler-bundle[v7.2.0, ..., v7.2.3] require symfony/framework-bundle ^6.4|^7.0 -> satisfiable by symfony/framework-bundle[v7.2.0, v7.2.1, v7.2.2, v7.2.3].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

The underlying cause is that symfony/security-bundle 7.2.3 is looking for symfony/dependency-injection v6.4 or v7.1, which is caused by this changeset.

I'm guessing that's a bad merge, given the commit message is "Merge branch '5.4' into 6.4", and should be:

[...]
 "symfony/dependency-injection": "^6.4.11|^7.1.4|^7.2",
[...]

How to reproduce

composer update on a project that uses symfony/security-bundle v7.2.3.

Possible Solution

Update composer.json to allow symfony/dependency-injection v7.2:

[...]
 "symfony/dependency-injection": "^6.4.11|^7.1.4|^7.2",
[...]

Additional Context

No response

[derrabus]

^7.1.4 already includes 7.2. The change you're proposing would do nothing.

[nathanjrobertson]

Yeah, actually - you're right. I see the issue now (in our configuration) - sorry.