Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
SecurityAdvisories
:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
One of the packages we use and help improve is BehatPageObjectExtension, an extension for Behat that incapsulates the PageObject pattern (we have written a blog post about PageObjectExtension, in Italian, here).
We found the related issue on the Guzzle GitHub repository and we noticed a fix had been released with version 6.3 of this library. Hurray, we can bump Guzzle version to 6.3 and overcome the problem! But looking at BehatPageObjectExtension’s composer.json we’ve soon realized that Guzzle isn’t a direct dependency managed by us. “It’s not a big deal” I thought as Guzzle was required by Goutte and we require Goutte through its Mink driver,so I expected to find some tagged version of Goutte and the Mink Driver with this requirements bump. Sadly I found it wasn’t the case as Guzzle is required in Goutte with ^6.0 (so, basically every version between 6 and 7) and this includes the versions with the warning described above. Therefore in our case the warning was displayed as a “side effect” of deps=low that requires indirectly Guzzle 6.0 as is the lowest dependency accepted.
We found the related issue on the Guzzle GitHub repository and we noticed a fix had been released with version 6.3 of this library. Hurray, we can bump Guzzle version to 6.3 and overcome the problem! But looking at BehatPageObjectExtension’s composer.json we’ve soon realized that Guzzle isn’t a direct dependency managed by us. “It’s not a big deal” I thought as Guzzle was required by Goutte and we require Goutte through its Mink driver,so I expected to find some tagged version of Goutte and the Mink Driver with this requirements bump. Sadly I found it wasn’t the case as Guzzle is required in Goutte with ^6.0 (so, basically every version between 6 and 7) and this includes the versions with the warning described above. Therefore in our case the warning was displayed as a “side effect” of deps=low that requires indirectly Guzzle 6.0 as is the lowest dependency accepted.
Without discussing if it’s right or wrong to keep a version of third party code that could break everthing (take a look at this PR), we were suddenly at a crossroads: drop the deps=low and give up on this kind of tests or dig in the Composer manual and look for something that could possibly help us: you guessed right, conflict is what we needed (thanks to jakzal!).
In order to avoid accepting third-party code with well-known security issues you can take advantage of SecurityAdvisories by Roave, a library which uses conflict as shown in this article to block unsafe packages. Give it a look!