Issue #3343889 by yash.rode, Wim Leers, phenaproxima, tedbow: Drop support for...

Issue #3343889 by yash.rode, Wim Leers, phenaproxima, tedbow: Drop support for end-of-life versions of Composer

Issue #3343889 by yash.rode, Wim Leers, phenaproxima, tedbow: Drop support for...
431d5344 · Yash Rode · Adam G-H · 0d0911b8 · 431d5344 · 431d5344
Commit 431d5344 authored 2 years ago by Yash Rode Committed by Adam G-H 2 years ago
--- a/package_manager/src/ComposerInspector.php
+++ b/package_manager/src/ComposerInspector.php
@@ -42,9 +42,19 @@ class ComposerInspector {
  /**
   * A semantic version constraint for the supported version(s) of Composer.
   *
+   * Only versions supported by Composer are supported: the LTS and the latest
+   * minor version. Those are currently 2.2 and 2.5.
+   *
+   * @see https://endoflife.date/composer
+   *
+   * Note that Composer <= 2.2.11 is not supported anymore due to a security
+   * vulnerability.
+   *
+   * @see https://blog.packagist.com/cve-2022-24828-composer-command-injection-vulnerability/
+   *
   * @var string
   */
-  final public const SUPPORTED_VERSION = '~2.2.12 || ^2.3.5';
+  final public const SUPPORTED_VERSION = '~2.2.12 || ^2.5';

  /**
   * Constructs a ComposerInspector object.

--- a/package_manager/tests/src/Kernel/ComposerInspectorTest.php
+++ b/package_manager/tests/src/Kernel/ComposerInspectorTest.php
@@ -183,9 +183,12 @@ class ComposerInspectorTest extends PackageManagerKernelTestBase {
   *
   * @testWith ["2.2.12", null]
   *   ["2.2.13", null]
-   *   ["2.3.6", null]
-   *   ["2.4.1", null]
+   *   ["2.5.0", null]
+   *   ["2.5.11", null]
   *   ["2.2.11", "<default>"]
+   *   ["2.2.0-dev", "<default>"]
+   *   ["2.3.6", "<default>"]
+   *   ["2.4.1", "<default>"]
   *   ["2.3.4", "<default>"]
   *   ["2.1.6", "<default>"]
   *   ["1.10.22", "<default>"]