如何解决将 symfony 4 更新为 5 时出现 roave/security-advisories 问题
我正在尝试将我的 Symfony 4.4.19 更新到 Symfony 5.x,但我有两个冲突阻止了这个过程: symfony/monolog-bundle 和 roave/security-advisories
我正在运行方法 composer update "symfony/*" --with-all-dependencies
在关于 upgrading 的 Symfony 文档中,明确指出“一些以 symfony/ 开头的库遵循自己的版本方案。您不需要更新这些版本:您可以随时独立升级它们" 示例是...symfony/monolog-bundle
Updating dependencies
Problem 1
- Root composer.json requires symfony/monolog-bundle ^3.6 -> satisfiable by symfony/monolog-bundle[v3.6.0].
- symfony/monolog-bundle v3.6.0 requires symfony/http-kernel ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/http-kernel[v5.0.0,...,v5.0.11].
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.11.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.10.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.9.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.8.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.7.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.6.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.5.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.4.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.3.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.2.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.1.
- roave/security-advisories dev-latest conflicts with symfony/http-kernel v5.0.0.
- roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
这是我的 composer.json,我已将所有 4.4 替换为 5.0:
{
"type": "project","version": "1.2.0","license": "proprietary","require": {
"php": "^7.4.0","ext-ctype": "*","ext-iconv": "*","ext-intl": "*","ext-json": "*","abraham/twitteroauth": "^1.1","excelwebzone/recaptcha-bundle": "^1.5","facebook/graph-sdk": "^5.7","friendsofsymfony/rest-bundle": "^3.0","gesdinet/jwt-refresh-token-bundle": "^0.9.1","hamhamfonfon/astrobin-ws": "^2.0","jms/serializer-bundle": "^3.3","lexik/jwt-authentication-bundle": "^2.6","ruflin/elastica": "^6.0","sensio/framework-extra-bundle": "^5.2","symfony/asset": "^5.0","symfony/console": "^5.0","symfony/dotenv": "^5.0","symfony/expression-language": "^5.0","symfony/flex": "^1.11","symfony/form": "^5.0","symfony/framework-bundle": "^5.0","symfony/google-mailer": "5.0","symfony/http-client": "5.0","symfony/intl": "^5.0","symfony/mailer": "5.0.*","symfony/monolog-bundle": "^3.6","symfony/orm-pack": "^1.2","symfony/process": "5.0.*","symfony/requirements-checker": "^1.1","symfony/security-bundle": "^5.0","symfony/serializer": "^5.0","symfony/stopwatch": "^5.0","symfony/templating": "^5.0","symfony/translation": "^5.0","symfony/twig-bundle": "^5.0","symfony/validator": "^5.0","symfony/webpack-encore-bundle": "^1.0","symfony/yaml": "^5.0","twig/extensions": "^1.5"
},//...
"extra": {
"symfony": {
"allow-contrib": false,"require": "5.0.*"
}
},"require-dev": {
"roave/security-advisories": "dev-latest","symfony/maker-bundle": "^1.12","symfony/profiler-pack": "^1.0","symfony/var-dumper": "^5.0"
}
}
我在将 4.4 替换为 5.0 之前进行了“作曲家更新”,以确保使用 4.4.x 版本的最新版本。
解决方法
问题并不是真的在 monolog-bundle 中,而是如下:
- monolog-bundle 需要 symfony/http-kernel ~3.4 || ~4.0 || ^5.0
- 您将所有 Symfony 组件限制为 5.0(通过将“extra”->“symfony”->“require”设置为 5.0.*)。因此,monolog-bundle 唯一可满足的要求是 http-kernel 5.0。*
- roave/security-advisories 通过故意与具有已知安全问题的 lib 版本冲突来工作。在这种情况下,每个 5.0.* 版本都有漏洞 CVE-2020-15094(请参阅 https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient),因此被阻止。所以没有有效版本,Composer 中止。
我的建议:Symfony 5.0 生命周期结束,所以使用当前版本的 Symfony 5.2.x(作曲家约束“^5.2”)。由于 Symfony 使用严格的语义版本控制,因此使用 5.2 而不是 5.0 没有任何缺点(即所有在 5.0 上运行的代码也将在 5.2 上运行)。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
