Problem/Motivation
Background from @xjm: In general, Drupal has only been updating our production branches' core/composer.json constraints for security issues if the vulnerability affects Drupal core, and only updating the lockfile if we don't expose the vulnerability.
However, the Security Team had a discussion that it might be better to actually increase the constraint as well, especially for the moment where we don't have e.g. the FriendsOfPHP security advisories as a dependency.
We're about to release 8.9.0 (an LTS) as well as 8.8.7 (the last patch release of 8.8.x) so now is a good time to do a patch-level update of a constraint for this. In particular, symfony/http-foundation had a security release in 3.4.35.
Proposed resolution
Create a patch that updates 8.9.x and 8.8.x.
Steps to create the patch:
- Update
"symfony/http-foundation": "~3.4.27",
to version"~3.4.35"
in core/composer.json - Run
COMPOSER_ROOT_VERSION=8.9.x-dev composer update drupal/core
(to make sure the metapackages are updated if needed)
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#12 | 3143722-d88-update_symfony_http_foundation-12.patch | 1.73 KB | shaal |
#11 | 3143722-d89-update_symfony_http_foundation-11.patch | 1.38 KB | shaal |
#3 | update_symfony_http-3143722-3.patch | 3.78 KB | shaal |
#2 | update_symfony_http-3143722-2.patch | 22.59 KB | shaal |
Comments
Comment #2
shaalPatch for 8.9.x
Comment #3
shaalPatch for 8.8.x
(
COMPOSER_ROOT_VERSION=8.8.x-dev composer update drupal/core
)Comment #4
andypostFew other packages needs other issue to update
Comment #5
xjm@andypost Yep, just this one is the one production dependency with a security issue in the minimum allowed version. (There's dev dependencies too and other updates but we can deal with those less urgently, and I figured the specific scope would be an easier review.)
Comment #6
jungleShould we update it to 3.4.40, the latest minor release of 3.4.x? https://github.com/symfony/http-foundation/releases/tag/v3.4.40
Funding info introduced here, it's in the scope of #3127918: Add funding info in composer.lock, Using composer 1.9.0 won't bring it to here. As funding was introduced in composer 1.10.
NW for #2 at least.
Thanks!
Comment #7
xjmFor #6.1, our previous policy was to not increase constraints at all unless core was actually vulnerable, so I think we should keep the lowest possible version that is secure, particularly for 8.8.x. (I could go either way for 8.9.x).
I did not know about #6.2, interesting! I was wondering what that all was.
Comment #8
jungleThanks, @xjm.
Then +1 to 3.4.35
#6.2, Once #3127918: Add funding info in composer.lock gets landed, it's ok to use both composer 1.10.x and composer 1.9.x
Comment #9
jungleComment #10
jungle(Sorry for the noisy, clicking the back button of browser might submit the form again and again)
Comment #11
shaalThank you @jungle
Fix for 8.9.x
(I hide the interdiff because it seems more noise than helping)
Comment #12
shaalFix for 8.8.x
(I hide the interdiff because it seems more noise than helping)
Comment #13
jungleManually run again with the steps in IS, confirmed that the only diff of #11 and #12 is the bin-thing. it's back and forth like a ghost, I think we are good with or without it.
So the two patches in #11 and #12 are RTBC to me.
Comment #14
jungleOne thing that
composer-lock-diff
outputs nothing to me.But
composer show symfony/http-foundation
did tell the version is v3.4.35, so it might be something wrong withcomposer-lock-diff
itself perhaps.Comment #15
alexpottCommitted c198171 and pushed to 8.9.x. Thanks!
Committed c8a8761 and pushed to 8.8.x. Thanks!
@jungle lock-diff is telling you nothing because the lock file has not changed. What's changed here is the minimum version we support. The version installed for 8.8.x and 8.9.x is already v3.4.35 or greater
Comment #18
jungleThanks, @alexpott, that explained.
Comment #19
xjm