Currently the version of SimpleSAMLphp is locked on 1.17 with the version string ~1.17.2
in de composer.json
. To allow upgrading to a version without security problems this version string needs to be updated. I will add a patch to fix this problem.
Comment | File | Size | Author |
---|---|---|---|
#5 | simplesamlphp_auth-dependency_version_update-3097283-5.patch | 1.1 KB | pdenooijer |
| |||
#2 | simplesamlphp_auth-dependency_version_update-3097283-2.patch | 367 bytes | pdenooijer |
|
Comments
Comment #2
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedProvided patch will allow updating minor and patch versions of the
simplesamlphp/simplesamlphp
dependency with composer.Comment #3
BerdirThe reason I used ~ and not ^ was that 1.17 caused quite a few problems due to deprecations, so I tried to be more careful. I guess its fine to expand it.
Comment #4
idebr CreditAttribution: idebr at iO commentedThere is a line in
simplesamlphp_auth_requirements()
mentioning the minimum version requirement for simplesamlphp. It currently says:Let's update this line so it matches the version requirement in the composer.json file. Alternatively, we could remove the version number mentioned here since the calling code does not actually parse the version number.
Comment #5
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedUpdated the patch with the
simplesamlphp_auth_requirements()
change included.Comment #6
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedFor now we mitigated the problem by adding the following line in the
composer.json
require field:"simplesamlphp/simplesamlphp": "1.18.2 as 1.17.8",
Had to upgrade some other dependencies (like simplesamlphp/saml2) to get it to work.
Comment #7
BerdirPatch looks good, I think it's useful to keep the version number.
Our test coverage is obviously very limited, if you can confirm that there are no issues with 1.18 using that workaround then I can commit it to -dev, which should make it easier to test.
Comment #8
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedOur CI is currently running with quite a lot of Behat test, after it is tested by hand as well I will report back.
Comment #9
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedWorks fine for us @Berdir!
Comment #10
BerdirGreat, committed.
Comment #12
apaderno