Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
#3039611: Update core PHP dependencies for 8.8.x updated Diactoros from 1.4 to 1.8. I don't think this is the correct choice as security coverage for 1.8 ended a couple weeks ago on Sept. 27, but 1.7 is an LTS version that will be supported into 2022. See: https://framework.zend.com/long-term-support
Proposed resolution
Pin Diactoros to 1.7 so we stay on the LTS until D8's EOL.
Remaining tasks
Patch please.
Release notes snippet
Diactoros has been updated from 1.4.1 to 1.8.7 (an LTS version which receives security coverage until March 2022).
| Comment | File | Size | Author |
|---|---|---|---|
| #29 | 3087531-8.8.x-28.patch | 3.93 KB | alexpott |
| #29 | 3087531-9.0.x-28.patch | 3.93 KB | alexpott |
| #29 | 3087531-8.9.x-28.patch | 3.93 KB | alexpott |
| #15 | interdiff-26c3f3.txt | 2.99 KB | jibran |
| #13 | 3087531-13.patch | 835 bytes | jibran |
Comments
Comment #2
xjmComment #3
jibranWorking on a patch now.
Comment #4
jibranComment #5
xjm👍 Looks good, thanks.
Comment #6
xjmWeird artifact?
Comment #7
jibran#6 package should be in sorted order. I can revert this if we don't want the change but it is bound to happen at some time.
Comment #8
xjmSure, that seems fair. I guess the patch that added it added it at the end of the list manually.
Comment #9
alexpottCommitted and pushed f123666e10 to 9.0.x and c7cae3d7ba to 8.9.x and 4a7a0fa0af to 8.8.x. Thanks!
Comment #13
jibranThis is wired. For some reason lock file is outdated.
Comment #14
gnikolovskiI just tried installing Drupal 8.8dev with the new drupal/recommended-project template and I'm getting this:
Your requirements could not be resolved to an installable set of packages.
Problem 1
- drupal/core 8.8.x-dev requires zendframework/zend-diactoros >=1.7 <1.8 -> satisfiable by zendframework/zend-diactoros[1.7.0, 1.7.1, 1.7.2].
- Can only install one of: zendframework/zend-diactoros[1.8.7, 1.7.0].
- Can only install one of: zendframework/zend-diactoros[1.8.7, 1.7.1].
- Can only install one of: zendframework/zend-diactoros[1.8.7, 1.7.2].
- drupal/core-recommended 8.8.x-dev requires drupal/core 8.8.x-dev -> satisfiable by drupal/core[8.8.x-dev].
- drupal/core-recommended 8.8.x-dev requires zendframework/zend-diactoros 1.8.7 -> satisfiable by zendframework/zend-diactoros[1.8.7].
- Installation request for drupal/core-recommended ^8.8 -> satisfiable by drupal/core-recommended[8.8.x-dev].
Comment #15
jibranPatch #13 should fix that but we wouldn't know until it is committed. Also #3086644: LegacyProject composer templates wrongly reference 8.x + fix test coverage will add explict tests to make sure templates provided by core should be installable at all times.
@alexpott I was thinking about adding a test to make sure that
drupal/coreis always up to date in lock file. PFA the interdiff and let me know if it is worth adding to the PATCH.Comment #16
alexpottThe out-of-date lock file got fixed in #3086796: Explicitly require pear/archive_tar ^1.4.5 - the 8.8.x lock file seems way harder to manager than before.
Comment #17
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedIn order to do #15 we need #3087626: Convert drupal/core-recommended & c. into a subtree split
Comment #18
MixologicI have updated the metapackages in the meantim, so #14 will work until we change the next lockfile
Comment #19
jibranSymfony Security Check is complaining now.
Comment #20
xjmUhhh now that is interesting; what's the point of LTS coverage if you don't backport security patches to it?
We already determined Drupal doesn't exercise that particular vulnerability when we released 2018-005, but I'm more concerned about the next one. Let's file an issue in their queue?
Comment #21
xjmLike the entire reason we didn't try to replace Diactoros as a dependency was that they document support for LTS releases.
Comment #22
xjmSo apparently their LTS policy was finalized just a few weeks before 2018-005 was published so it may not have been totally in place yet. Their GitHub issue queue prompts you to ask questions in their Slack instead: https://zendframework-slack.herokuapp.com/
Too late tonight for me; can someone find out in their Slack whether or not the LTS date documented on their policy is real and whether 1.7 will get any subsequent security backports in light of 2018-005 not having been backported?
Comment #23
alexpottI've opened an issue against zend-diactoros - see https://github.com/zendframework/zend-diactoros/issues/373 - can't create a PR because there's no 1.7 branch to create a PR against but here's a fork with the fix https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 - also in zend slack it looks like they might bump the LTS version to 1.8
Comment #24
xjmFor now I'll put this as a known issue in the release notes. If they do actually update their page documenting that 1.8 will be supported until 2022 instead of last month, we should probably bump the version back to 1.8 before the alpha. Otherwise before beta. Otherwise... I dunno, but downgrading minors is technically a BC break.
Comment #25
MixologicTheir documentation on https://framework.zend.com/long-term-support is fairly obtuse.
It seems like they dont actually have LTS for individual packages, only the '12 months after a major' policy, except they *DO* provide it for any packages that happen to be required by their application skeleton templates.
In this case it looks like they just updated their page incorrectly, applying the '12 month' policy to 1.8, but leaving the 'defacto LTS at 1.7 because Expressive skeleton needs it'
However, the expressive skeleton has a requirement of
zendframework/zend-diactoros: ^1.7which means that security fixes in 1.8 *do* support their framework.Comment #26
jibranI tried to bump the issue https://github.com/zendframework/zend-diactoros/issues/373#issuecomment-....
Meanwhile should we create a new issue to update Diactoros version to
^2.1for 9.0.x branch?Comment #27
slasher13Revert this ticket because 1.8 is the LTS version:
https://github.com/zendframework/zend-diactoros/issues/373#issuecomment-...
Comment #28
catchThis isn't a clean revert so we could do with a new patch here to update from 1.7 to 1.8
Comment #29
alexpottHere's some patches...
Comment #31
jibranLooks good to me thanks @alexpott. Also updated the release notes.
Comment #33
catchCommitted/pushed to 9.0.x/8.9.x/8.8.x, thanks!
Comment #36
xjmThanks for fixing this. Can someone update https://www.drupal.org/core/dependencies explaining the vagaries of their LTS policy?
Comment #37
catchI've done this for now, https://www.drupal.org/node/3051219/revisions/view/11615200/11618941 - we should update again once their table is correct though.