Commit 9db4e31b authored by catch's avatar catch
Browse files

Issue #3198340 by alexpott, xjm, Mile23, cilefen, mmjvb, catch, Mixologic,... 

Issue #3198340 by alexpott, xjm, Mile23, cilefen, mmjvb, catch, Mixologic, effulgentsia, mfb, longwave, larowlan, greg.1.anderson, Warped, quietone: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available
parent 7fbc4c4b

composer/Generator/Builder/DrupalCoreRecommendedBuilder.php

+2 −2
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ public function getPackage() { 
      // If there is no 'source' record, then this is a path repository

      // or something else that we do not want to include.

      if (isset($package['source']) && !in_array($package['name'], $remove_list)) {

        $composer['require'][$package['name']] = $package['version'];

        $composer['require'][$package['name']] = '~' . $package['version'];

      }

    }

    return $composer;
@@ -56,7 +56,7 @@ protected function initialPackageMetadata() { 
    return [

      "name" => "drupal/core-recommended",

      "type" => "metapackage",

      "description" => "Locked core dependencies; require this project INSTEAD OF drupal/core.",

      "description" => "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",

      "license" => "GPL-2.0-or-later",

      "conflict" => [

        "webflo/drupal-core-strict" => "*",

composer/Metapackage/CoreRecommended/composer.json

+49 −49
Original line number Diff line number Diff line 
{

    "name": "drupal/core-recommended",

    "type": "metapackage",

    "description": "Locked core dependencies; require this project INSTEAD OF drupal/core.",

    "description": "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",

    "license": "GPL-2.0-or-later",

    "conflict": {

        "webflo/drupal-core-strict": "*"

    },

    "require": {

        "drupal/core": "10.0.x-dev",

        "asm89/stack-cors": "v2.1.1",

        "composer/semver": "3.3.2",

        "doctrine/annotations": "1.13.2",

        "doctrine/lexer": "1.2.3",

        "egulias/email-validator": "3.1.2",

        "guzzlehttp/guzzle": "7.4.4",

        "guzzlehttp/promises": "1.5.1",

        "guzzlehttp/psr7": "2.2.1",

        "masterminds/html5": "2.7.5",

        "pear/archive_tar": "1.4.14",

        "pear/console_getopt": "v1.4.3",

        "pear/pear-core-minimal": "v1.10.11",

        "pear/pear_exception": "v1.0.2",

        "psr/cache": "3.0.0",

        "psr/container": "2.0.2",

        "psr/event-dispatcher": "1.0.0",

        "psr/http-client": "1.0.1",

        "psr/http-factory": "1.0.1",

        "psr/http-message": "1.0.1",

        "psr/log": "3.0.0",

        "ralouphie/getallheaders": "3.0.3",

        "symfony/console": "v6.1.1",

        "symfony/dependency-injection": "v6.1.0",

        "symfony/deprecation-contracts": "v3.1.0",

        "symfony/error-handler": "v6.1.0",

        "symfony/event-dispatcher": "v6.1.0",

        "symfony/event-dispatcher-contracts": "v3.1.0",

        "symfony/http-foundation": "v6.1.1",

        "symfony/http-kernel": "v6.1.1",

        "symfony/mime": "v6.1.1",

        "symfony/polyfill-ctype": "v1.26.0",

        "symfony/polyfill-iconv": "v1.26.0",

        "symfony/polyfill-intl-grapheme": "v1.26.0",

        "symfony/polyfill-intl-idn": "v1.26.0",

        "symfony/polyfill-intl-normalizer": "v1.26.0",

        "symfony/polyfill-mbstring": "v1.26.0",

        "symfony/polyfill-php80": "v1.26.0",

        "symfony/process": "v6.1.0",

        "symfony/psr-http-message-bridge": "v2.1.2",

        "symfony/routing": "v6.1.1",

        "symfony/serializer": "v6.1.1",

        "symfony/service-contracts": "v3.1.0",

        "symfony/string": "v6.1.0",

        "symfony/translation-contracts": "v3.1.0",

        "symfony/validator": "v6.1.1",

        "symfony/var-dumper": "v6.1.0",

        "symfony/yaml": "v6.1.0",

        "twig/twig": "v3.3.10"

        "asm89/stack-cors": "~v2.1.1",

        "composer/semver": "~3.3.2",

        "doctrine/annotations": "~1.13.2",

        "doctrine/lexer": "~1.2.3",

        "egulias/email-validator": "~3.1.2",

        "guzzlehttp/guzzle": "~7.4.4",

        "guzzlehttp/promises": "~1.5.1",

        "guzzlehttp/psr7": "~2.2.1",

        "masterminds/html5": "~2.7.5",

        "pear/archive_tar": "~1.4.14",

        "pear/console_getopt": "~v1.4.3",

        "pear/pear-core-minimal": "~v1.10.11",

        "pear/pear_exception": "~v1.0.2",

        "psr/cache": "~3.0.0",

        "psr/container": "~2.0.2",

        "psr/event-dispatcher": "~1.0.0",

        "psr/http-client": "~1.0.1",

        "psr/http-factory": "~1.0.1",

        "psr/http-message": "~1.0.1",

        "psr/log": "~3.0.0",

        "ralouphie/getallheaders": "~3.0.3",

        "symfony/console": "~v6.1.1",

        "symfony/dependency-injection": "~v6.1.0",

        "symfony/deprecation-contracts": "~v3.1.0",

        "symfony/error-handler": "~v6.1.0",

        "symfony/event-dispatcher": "~v6.1.0",

        "symfony/event-dispatcher-contracts": "~v3.1.0",

        "symfony/http-foundation": "~v6.1.1",

        "symfony/http-kernel": "~v6.1.1",

        "symfony/mime": "~v6.1.1",

        "symfony/polyfill-ctype": "~v1.26.0",

        "symfony/polyfill-iconv": "~v1.26.0",

        "symfony/polyfill-intl-grapheme": "~v1.26.0",

        "symfony/polyfill-intl-idn": "~v1.26.0",

        "symfony/polyfill-intl-normalizer": "~v1.26.0",

        "symfony/polyfill-mbstring": "~v1.26.0",

        "symfony/polyfill-php80": "~v1.26.0",

        "symfony/process": "~v6.1.0",

        "symfony/psr-http-message-bridge": "~v2.1.2",

        "symfony/routing": "~v6.1.1",

        "symfony/serializer": "~v6.1.1",

        "symfony/service-contracts": "~v3.1.0",

        "symfony/string": "~v6.1.0",

        "symfony/translation-contracts": "~v3.1.0",

        "symfony/validator": "~v6.1.1",

        "symfony/var-dumper": "~v6.1.0",

        "symfony/yaml": "~v6.1.0",

        "twig/twig": "~v3.3.10"

    }

}

core/tests/Drupal/Tests/Composer/Generator/BuilderTest.php

+3 −3
Original line number Diff line number Diff line
@@ -25,13 +25,13 @@ public function builderTestData() { 
        [

          'name' => 'drupal/core-recommended',

          'type' => 'metapackage',

          'description' => 'Locked core dependencies; require this project INSTEAD OF drupal/core.',

          'description' => 'Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.',

          'license' => 'GPL-2.0-or-later',

          'require' =>

          [

            'drupal/core' => Composer::drupalVersionBranch(),

            'symfony/polyfill-ctype' => 'v1.12.0',

            'symfony/yaml' => 'v3.4.32',

            'symfony/polyfill-ctype' => '~v1.12.0',

            'symfony/yaml' => '~v3.4.32',

          ],

          'conflict' =>

          [

core/tests/Drupal/Tests/ComposerIntegrationTest.php

+4 −1
Original line number Diff line number Diff line
@@ -52,6 +52,9 @@ public function testComposerLockHash() { 
   * @dataProvider providerTestComposerJson

   */

  public function testComposerTilde($path) {

    if (preg_match('#composer/Metapackage/CoreRecommended/composer.json$#', $path)) {

      $this->markTestSkipped("$path has tilde");

    }

    $content = json_decode(file_get_contents($path), TRUE);

    $composer_keys = array_intersect(['require', 'require-dev'], array_keys($content));

    if (empty($composer_keys)) {
@@ -78,7 +81,7 @@ public function providerTestComposerJson() { 
    $data = [];

    $composer_json_finder = $this->getComposerJsonFinder(realpath(__DIR__ . '/../../../../'));

    foreach ($composer_json_finder->getIterator() as $composer_json) {

      $data[] = [$composer_json->getPathname()];

      $data[$composer_json->getPathname()] = [$composer_json->getPathname()];

    }

    return $data;

  }