| 10 Apr 2022 |
 Pol | etu: Another easy one: https://github.com/NixOS/nixpkgs/pull/167837 | 20:14:12 |
| 12 Apr 2022 |
| Pol | \o/ nixpkgs-unstable is unblocked ! | 19:10:09 |
| 13 Apr 2022 |
| Pol | PHP 7.4.29, 8.1.5 is already in a PR, awaiting for PHP 8.0.18 to remove the DRAFT status from the PR. | 19:28:18 |
| Pol | Link: https://github.com/NixOS/nixpkgs/pull/168514 | 19:28:22 |
| Pol | In reply to @drupol:matrix.org
etu: Another easy one: https://github.com/NixOS/nixpkgs/pull/167837 Thanks ! | 19:28:29 |
| 14 Apr 2022 |
| Pol | PR is ready for review: https://github.com/NixOS/nixpkgs/pull/168514 | 13:45:38 |
| Pol | etu: Ready to merge ^^ | 16:35:36 |
| 15 Apr 2022 |
| Pol | I just created a PR to fix the security vulnerability with Composer: https://github.com/NixOS/nixpkgs/pull/168783 | 12:46:33 |
| Pol | I added the tag severity: security, I hope this is ok. | 12:46:54 |
| Pol | Could be nice to have someone to review/merge this quickly. | 12:47:28 |
 hexa | would be nice to have a link to the release notes and/or advisory in the commit message | 12:51:14 |
| hexa | as well as a Fixes: <CVE-Idenitifer | 12:51:25 |
| hexa |
nix-repl> php.packages.composer.version
"2.1.9"
| 12:52:12 |
| hexa | also, what about release-21.11? | 12:52:18 |
| Pol | I will amend the commit. | 12:52:43 |
| hexa | according to https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 the 2.1.9 release is affected | 12:53:02 |
| Pol | For the release notes, which file should I have to edit? | 12:53:07 |
| Pol | yes, everything under 2.3.5. | 12:53:15 |
| hexa | well, actually <1.10.26 || >=2.0,<2.2.12 || >=2.3,<2.3.5 | 12:53:24 |
| Pol | oui voila | 12:53:34 |
| Pol | A lot :) | 12:53:45 |
| hexa | clarity 🙂 | 12:53:50 |
| Pol | yes, almost everything under 2.3.5 | 12:54:10 |
| Pol | devil lies in the details ! | 12:54:18 |
| Pol | So, what do you propose? Should I add something in a release note somewhere? | 12:54:36 |
| hexa | I love references in commit messages. Personally I'd go for:
php.packages.composer: 2.3.3 -> 2.3.5
https://github.com/composer/composer/releases/tag/2.3.4
https://github.com/composer/composer/releases/tag/2.3.5
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Fixes: CVE-2022-24828
| 12:56:22 |
| hexa | and release-21.11 needs to be handled separately since that version is so far off | 12:56:42 |
| Pol | Ok. | 12:57:05 |
| hexa | I see two options for release-21.11:
- backport https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
- move to the 2.2 LTS release, which received 2.2.12
| 13:00:30 |
| hexa |
Composer 2.3 will increase the required PHP version to >=7.2.5 and thus stop supporting PHP 5.3.2 - 7.2.4.
| 13:03:42 |
