Problem/Motivation

phpunit 9.6.7 is required by drupal/core-dev 10.2.4. This package requires sebastian/resource-operations. The problem is that sebastian/resource-operations was abandoned and "composer audit" flags this as a security problem.

Proposed resolution

Work out what to do.
Do eet.

Remaining tasks

Work out what to do.
Do eet.

User interface changes

n/a

API changes

n/a

Data model changes

n/a

Release notes snippet

TBD

Comments

DamienMcKenna created an issue. See original summary.

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

FYI this can be handled on a per-project basis by modifying the composer.json file:

https://getcomposer.org/doc/06-config.md#abandoned

    "config": {
        "audit": {
            "abandoned": "report"
        }
    }

or

    "config": {
        "audit": {
            "abandoned": "ignore"
        }
    }
damienmckenna’s picture

damienmckenna
Location TN, USA
commented
Title: phpunit 9.6.17 dependency sebastian/resource-operations was abandoned » phpunit 9.6.* dependency sebastian/resource-operations was abandoned
Issue summary: View changes

This can probably be closed as-is, if nothing else it'll be documentation for the next person who searches for this.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

https://github.com/sebastianbergmann/phpunit/issues/4828 was updated with a new release adding abandoned: false to prevent this error on composer audit going forward. I think this can be closed as fixed now.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Also if you are not pushing your site's dev dependencies to your hosting/production code, you can also use composer audit --no-dev.

cilefen’s picture

cilefen commented

But according to the maintainer, it is actually abandoned in all respects, except for that attribute, correct?

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

The library is not getting any more updates, no, and PHPUnit 9 is also not getting any more bug fixes either. Ideally updating to PHPUnit 10 or 11 removes the dependency on the abandoned package.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Related issues: +#3217904: [meta] Support PHPUnit 10 in Drupal 11
cilefen’s picture

cilefen commented

The library is essentially literally an array.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.