Verified Commit 99d3dd4c authored by Jess's avatar Jess
Browse files

Issue #3198340 by alexpott, xjm, cilefen, Mile23, mmjvb, catch, longwave, mfb,... 

Issue #3198340 by alexpott, xjm, cilefen, Mile23, mmjvb, catch, longwave, mfb, Mixologic, effulgentsia, larowlan, Warped, quietone, greg.1.anderson: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available
parent 03301fb9

composer/Generator/Builder/DrupalCoreRecommendedBuilder.php

+2 −2
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ public function getPackage() { 
      // If there is no 'source' record, then this is a path repository

      // or something else that we do not want to include.

      if (isset($package['source']) && !in_array($package['name'], $remove_list)) {

        $composer['require'][$package['name']] = $package['version'];

        $composer['require'][$package['name']] = '~' . $package['version'];

      }

    }

    return $composer;
@@ -56,7 +56,7 @@ protected function initialPackageMetadata() { 
    return [

      "name" => "drupal/core-recommended",

      "type" => "metapackage",

      "description" => "Locked core dependencies; require this project INSTEAD OF drupal/core.",

      "description" => "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",

      "license" => "GPL-2.0-or-later",

      "conflict" => [

        "webflo/drupal-core-strict" => "*",

composer/Metapackage/CoreRecommended/composer.json

+56 −56
Original line number Diff line number Diff line 
{

    "name": "drupal/core-recommended",

    "type": "metapackage",

    "description": "Locked core dependencies; require this project INSTEAD OF drupal/core.",

    "description": "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",

    "license": "GPL-2.0-or-later",

    "conflict": {

        "webflo/drupal-core-strict": "*"

    },

    "require": {

        "drupal/core": "9.4.x-dev",

        "asm89/stack-cors": "1.3.0",

        "composer/semver": "3.3.2",

        "doctrine/annotations": "1.13.2",

        "doctrine/lexer": "1.2.3",

        "doctrine/reflection": "1.2.3",

        "egulias/email-validator": "3.2",

        "guzzlehttp/guzzle": "6.5.7",

        "guzzlehttp/promises": "1.5.1",

        "guzzlehttp/psr7": "1.8.5",

        "laminas/laminas-diactoros": "2.11.0",

        "laminas/laminas-escaper": "2.9.0",

        "laminas/laminas-feed": "2.17.0",

        "laminas/laminas-stdlib": "3.7.1",

        "masterminds/html5": "2.7.5",

        "pear/archive_tar": "1.4.14",

        "pear/console_getopt": "v1.4.3",

        "pear/pear-core-minimal": "v1.10.11",

        "pear/pear_exception": "v1.0.2",

        "psr/cache": "1.0.1",

        "psr/container": "1.1.1",

        "psr/http-factory": "1.0.1",

        "psr/http-message": "1.0.1",

        "psr/log": "1.1.4",

        "ralouphie/getallheaders": "3.0.3",

        "stack/builder": "v1.0.6",

        "symfony-cmf/routing": "2.3.4",

        "symfony/console": "v4.4.42",

        "symfony/debug": "v4.4.41",

        "symfony/dependency-injection": "v4.4.42",

        "symfony/deprecation-contracts": "v2.5.1",

        "symfony/error-handler": "v4.4.41",

        "symfony/event-dispatcher": "v4.4.42",

        "symfony/event-dispatcher-contracts": "v1.1.12",

        "symfony/http-client-contracts": "v2.5.1",

        "symfony/http-foundation": "v4.4.42",

        "symfony/http-kernel": "v4.4.42",

        "symfony/mime": "v5.4.9",

        "symfony/polyfill-ctype": "v1.25.0",

        "symfony/polyfill-iconv": "v1.25.0",

        "symfony/polyfill-intl-idn": "v1.25.0",

        "symfony/polyfill-intl-normalizer": "v1.25.0",

        "symfony/polyfill-mbstring": "v1.25.0",

        "symfony/polyfill-php80": "v1.25.0",

        "symfony/process": "v4.4.41",

        "symfony/psr-http-message-bridge": "v2.1.2",

        "symfony/routing": "v4.4.41",

        "symfony/serializer": "v4.4.42",

        "symfony/service-contracts": "v2.5.1",

        "symfony/translation": "v4.4.41",

        "symfony/translation-contracts": "v2.5.1",

        "symfony/validator": "v4.4.41",

        "symfony/var-dumper": "v5.4.9",

        "symfony/yaml": "v4.4.37",

        "twig/twig": "v2.15.1",

        "typo3/phar-stream-wrapper": "v3.1.7"

        "asm89/stack-cors": "~1.3.0",

        "composer/semver": "~3.3.2",

        "doctrine/annotations": "~1.13.2",

        "doctrine/lexer": "~1.2.3",

        "doctrine/reflection": "~1.2.3",

        "egulias/email-validator": "~3.2",

        "guzzlehttp/guzzle": "~6.5.7",

        "guzzlehttp/promises": "~1.5.1",

        "guzzlehttp/psr7": "~1.8.5",

        "laminas/laminas-diactoros": "~2.11.0",

        "laminas/laminas-escaper": "~2.9.0",

        "laminas/laminas-feed": "~2.17.0",

        "laminas/laminas-stdlib": "~3.7.1",

        "masterminds/html5": "~2.7.5",

        "pear/archive_tar": "~1.4.14",

        "pear/console_getopt": "~v1.4.3",

        "pear/pear-core-minimal": "~v1.10.11",

        "pear/pear_exception": "~v1.0.2",

        "psr/cache": "~1.0.1",

        "psr/container": "~1.1.1",

        "psr/http-factory": "~1.0.1",

        "psr/http-message": "~1.0.1",

        "psr/log": "~1.1.4",

        "ralouphie/getallheaders": "~3.0.3",

        "stack/builder": "~v1.0.6",

        "symfony-cmf/routing": "~2.3.4",

        "symfony/console": "~v4.4.42",

        "symfony/debug": "~v4.4.41",

        "symfony/dependency-injection": "~v4.4.42",

        "symfony/deprecation-contracts": "~v2.5.1",

        "symfony/error-handler": "~v4.4.41",

        "symfony/event-dispatcher": "~v4.4.42",

        "symfony/event-dispatcher-contracts": "~v1.1.12",

        "symfony/http-client-contracts": "~v2.5.1",

        "symfony/http-foundation": "~v4.4.42",

        "symfony/http-kernel": "~v4.4.42",

        "symfony/mime": "~v5.4.9",

        "symfony/polyfill-ctype": "~v1.25.0",

        "symfony/polyfill-iconv": "~v1.25.0",

        "symfony/polyfill-intl-idn": "~v1.25.0",

        "symfony/polyfill-intl-normalizer": "~v1.25.0",

        "symfony/polyfill-mbstring": "~v1.25.0",

        "symfony/polyfill-php80": "~v1.25.0",

        "symfony/process": "~v4.4.41",

        "symfony/psr-http-message-bridge": "~v2.1.2",

        "symfony/routing": "~v4.4.41",

        "symfony/serializer": "~v4.4.42",

        "symfony/service-contracts": "~v2.5.1",

        "symfony/translation": "~v4.4.41",

        "symfony/translation-contracts": "~v2.5.1",

        "symfony/validator": "~v4.4.41",

        "symfony/var-dumper": "~v5.4.9",

        "symfony/yaml": "~v4.4.37",

        "twig/twig": "~v2.15.1",

        "typo3/phar-stream-wrapper": "~v3.1.7"

    }

}

core/tests/Drupal/Tests/Composer/Generator/BuilderTest.php

+3 −3
Original line number Diff line number Diff line
@@ -25,13 +25,13 @@ public function builderTestData() { 
        [

          'name' => 'drupal/core-recommended',

          'type' => 'metapackage',

          'description' => 'Locked core dependencies; require this project INSTEAD OF drupal/core.',

          'description' => 'Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.',

          'license' => 'GPL-2.0-or-later',

          'require' =>

          [

            'drupal/core' => Composer::drupalVersionBranch(),

            'symfony/polyfill-ctype' => 'v1.12.0',

            'symfony/yaml' => 'v3.4.32',

            'symfony/polyfill-ctype' => '~v1.12.0',

            'symfony/yaml' => '~v3.4.32',

          ],

          'conflict' =>

          [

core/tests/Drupal/Tests/ComposerIntegrationTest.php

+4 −1
Original line number Diff line number Diff line
@@ -53,6 +53,9 @@ public function testComposerLockHash() { 
   * @dataProvider providerTestComposerJson

   */

  public function testComposerTilde($path) {

    if (preg_match('#composer/Metapackage/CoreRecommended/composer.json$#', $path)) {

      $this->markTestSkipped("$path has tilde");

    }

    $content = json_decode(file_get_contents($path), TRUE);

    $composer_keys = array_intersect(['require', 'require-dev'], array_keys($content));

    if (empty($composer_keys)) {
@@ -79,7 +82,7 @@ public function providerTestComposerJson() { 
    $data = [];

    $composer_json_finder = $this->getComposerJsonFinder(realpath(__DIR__ . '/../../../../'));

    foreach ($composer_json_finder->getIterator() as $composer_json) {

      $data[] = [$composer_json->getPathname()];

      $data[$composer_json->getPathname()] = [$composer_json->getPathname()];

    }

    return $data;

  }