| 15 Apr 2022 |
 Pol | I added the tag severity: security, I hope this is ok. | 12:46:54 |
| Pol | Could be nice to have someone to review/merge this quickly. | 12:47:28 |
 hexa | would be nice to have a link to the release notes and/or advisory in the commit message | 12:51:14 |
| hexa | as well as a Fixes: <CVE-Idenitifer | 12:51:25 |
| hexa |
nix-repl> php.packages.composer.version
"2.1.9"
| 12:52:12 |
| hexa | also, what about release-21.11? | 12:52:18 |
| Pol | I will amend the commit. | 12:52:43 |
| hexa | according to https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 the 2.1.9 release is affected | 12:53:02 |
| Pol | For the release notes, which file should I have to edit? | 12:53:07 |
| Pol | yes, everything under 2.3.5. | 12:53:15 |
| hexa | well, actually <1.10.26 || >=2.0,<2.2.12 || >=2.3,<2.3.5 | 12:53:24 |
| Pol | oui voila | 12:53:34 |
| Pol | A lot :) | 12:53:45 |
| hexa | clarity 🙂 | 12:53:50 |
| Pol | yes, almost everything under 2.3.5 | 12:54:10 |
| Pol | devil lies in the details ! | 12:54:18 |
| Pol | So, what do you propose? Should I add something in a release note somewhere? | 12:54:36 |
| hexa | I love references in commit messages. Personally I'd go for:
php.packages.composer: 2.3.3 -> 2.3.5
https://github.com/composer/composer/releases/tag/2.3.4
https://github.com/composer/composer/releases/tag/2.3.5
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Fixes: CVE-2022-24828
| 12:56:22 |
| hexa | and release-21.11 needs to be handled separately since that version is so far off | 12:56:42 |
| Pol | Ok. | 12:57:05 |
| hexa | I see two options for release-21.11:
- backport https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
- move to the 2.2 LTS release, which received 2.2.12
| 13:00:30 |
| hexa |
Composer 2.3 will increase the required PHP version to >=7.2.5 and thus stop supporting PHP 5.3.2 - 7.2.4.
| 13:03:42 |
| hexa | but I'd be wary of backporting too many feature bumps 🙂 | 13:03:56 |
| Pol | hexa: for backporting, the branch is release-21.11? | 13:09:03 |
| hexa | yep | 13:09:13 |
| hexa | if you've never backported anything, check out the section in the contribution documentation | 13:09:51 |
| Pol | ok | 13:10:01 |
| Pol | Backport: https://github.com/NixOS/nixpkgs/pull/168785 | 13:13:08 |
| hexa | so you're kinda saying these commits never happend there:
3aa6277c43b php74Packages.composer: 2.2.9 -> 2.3.3
8bf228ce2a4 php74Packages.composer: 2.2.7 -> 2.2.9
d118f55e231 php74Packages.composer: 2.2.6 -> 2.2.7
2b225076c7d php74Packages.composer: 2.2.3 -> 2.2.6
cb9f7cafde3 php74Packages.composer: 2.2.1 -> 2.2.3
5c6e813ba3e php74Packages.composer: 2.1.14 -> 2.2.1
0782984c059 php74Packages.composer: 2.1.9 -> 2.1.14 | 13:15:43 |
| hexa | also what about breaking changes in these versions? | 13:16:18 |
