Problem/Motivation

Symfony 4.4.7 has been released. Drupal 8 is not affected.

Proposed resolution

Update requirements for applicable components to 4.4.7.

Remaining tasks

Separate patches are needed for 9.1.x and 9.0.x.

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#5 3123558-9.1.x-4.patch39.1 KBalexpott
#2 3123558-2.patch39.1 KBalexpott

Comments

xjm created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Active » Needs review
StatusFileSize
new 3123558-2.patch39.1 KB

I updated core/composer.json to limit the symfony/http-foundation to ^4.4.7 as that's the component with sec issue - just to be safe.

I ran
$ composer update "symfony/*" drupal/core

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Needs review » Needs work

Needs a 9.1.x patch too; I'd suggest we post that before tests finish on 9.0.x in the hopes that both pass.

xjm’s picture

xjm
she/her
Primary language English
commented

I applied #2 locally and verified that the following things are no-ops on a clean composer install of 9.0.x:

  • composer update --lock
  • composer update drupal/core*
  • composer update symfony/*
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Needs work » Needs review
StatusFileSize
new 3123558-9.1.x-4.patch39.1 KB

Oh... I'd hoped that that would apply to 9.1.x too :( ho hum.

xjm’s picture

xjm
she/her
Primary language English
commented

Different branches of core will always have different lockfile hashes now, even if they're otherwise identical. So any composer-related change including dependency updates will always need separate patches per branch.

I repeated #4 with the root version constant, i.e. COMPOSER_ROOT_VERSION=9.0.x-dev composer update drupal/core* etc. and verified that also doesn't create any diffs.

Note for future reference that the slash in symfony/* is important to not accidentally change symfony-cmf packages; running this...

COMPOSER_ROOT_VERSION=9.0.x-dev composer update symfony*

...updates that package:

-            "version": "2.1.1",
+            "version": "2.2.0",

We should maybe update that as well while we're still in beta, but not prior to beta2 which should only be related to this SF update.

xjm’s picture

xjm
she/her
Primary language English
commented
Assigned: Unassigned » tedbow

I walked @tedbow through the steps I took to verify the 9.0.x patch. He will review the 9.1.x one.

xjm’s picture

xjm
she/her
Primary language English
commented

The SQLite fail was a known JS race condition fail in WidgetUploadTest so I requeued it. At least SQLite is the fastest environment.

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
commented
Assigned: tedbow » Unassigned

repeated steps in #4 but in this order

rm -rf vendor
composer install
# manually change core/composer.json to use "symfony/http-foundation": "^4.4.7",
COMPOSER_ROOT_VERSION=9.1.x-dev composer update symfony/*
COMPOSER_ROOT_VERSION=9.1.x-dev composer update drupal/core*

Also did this with COMPOSER_ROOT_VERSION=9.0.x-dev

Both branches produced the same results as the patches for each branch

+1 for RTBC when the tests pass

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Needs review » Reviewed & tested by the community

Saving issue credit and RTBCing based on #9 now that it's green.

  • xjm committed 3073e21 on 9.0.x 
    Issue #3123558 by alexpott, xjm, tedbow: Update Symfony to 4.4.7
  • xjm committed 4cf69e4 on 9.1.x
    Issue #3123558 by alexpott, xjm, tedbow: Update Symfony to 4.4.7
xjm’s picture

xjm
she/her
Primary language English
commented
xjm’s picture

xjm
she/her
Primary language English
commented
Status: Reviewed & tested by the community » Fixed
Issue tags: +9.0.0 release notes

Committed to 9.1.x and 9.0.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.