Skip to content

Updating composer packages blocked #2048

Description

@johanib

I noticed a lot of Dependabot PR's. Upon trying to run composer update -W, I ran into some issues:

root@engine:/var/www/html# composer update -W
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "7.4.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires simplesamlphp/assert ^1.9.1 -> satisfiable by simplesamlphp/assert[v1.9.1].
    - simplesamlphp/assert v1.9.1 requires guzzlehttp/psr7 ~2.8.0 -> found guzzlehttp/psr7[2.8.0, 2.8.1] but these were not loaded, because they are affected by security advisories ("PKSA-7qs6-zvnz-h66r", "PKSA-gm5x-j3mz-71n9", "PKSA-jj5t-2zs1-dcfm"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add their IDs to the "policy.advisories.ignore-id" config or add the package to "policy.advisories.ignore". To turn the feature off entirely, you can set "policy.advisories.block" to false.
  Problem 2
    - Root composer.json requires simplesamlphp/saml2 ^4.19 -> satisfiable by simplesamlphp/saml2[v4.20.3].
    - simplesamlphp/saml2 v4.20.3 requires simplesamlphp/xml-common ^2.7 -> satisfiable by simplesamlphp/xml-common[v2.7.0, ..., v2.8.1].
    - simplesamlphp/xml-common[v2.7.0, ..., v2.8.1] require ext-bcmath * -> it is missing from your system. Install or enable PHP's bcmath extension.

      Alternatively you can require one of these packages that provide the extension (or parts of it):
      Keep in mind that the suggestions are automated and may not be valid or safe to use
      - phpseclib/bcmath_compat PHP 5.x-8.x polyfill for bcmath extension
      - nanasess/bcmath-polyfill PHP 8.4 bcmath functions polyfill with fallback compatibility for environments without bcmath extens
      - phuture/continuum A forward-compatibility layer bringing tomorrow’s PHP features to today’s runtimes.
      - lumisys/bcmath_compat PHP 5.x/7.x polyfill for bcmath extension


To enable extensions, verify that they are enabled in your .ini files:
    - /usr/local/etc/php/php-cli.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-gd.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-gmp.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-intl.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-pdo_mysql.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-sodium.ini
    - /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini
You can also run `php --ini` in a terminal to see which files are used by PHP in CLI mode.
Alternatively, you can run Composer with `--ignore-platform-req=ext-bcmath` to temporarily ignore these required extensions.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Trying to upgrade to simplesamlphp/assert:^2.0 gave other issues:

Root cause found: two chained composer.json dependency conflicts, not a config bug.                                                                    
                                                                                                                                                       
 - Problem 1:  simplesamlphp/assert ^1.9.x  hard-pins  guzzlehttp/psr7 ~2.8.0 , and both published 2.8.0/2.8.1 releases carry real security advisories 
(host-confusion/header-injection). Composer correctly refuses to install them.                                                                         
 - Problem 2: Bumping to  simplesamlphp/assert v3.0.0  (drops the psr7 dep entirely — the real fix) needs  webmozart/assert ~2.1 , but: -  openconext/ 
monitor-bundle  (latest release 4.3.1) has never published a version supporting  webmozart/assert ^2  — verified in its GitHub composer.json.          
 -  simplesamlphp/saml2 ^4.20  (which does support webmozart ^2) needs  simplesamlphp/xml-common ^2.7 , which requires  ext-bcmath , missing from the  
PHP runtime.                                                                                                                                           
                                                                                                                                                       
No single-repo fix exists today. Documented two paths in plan.md:                                                                                      
                                                                                                                                                       
 - Path A (mitigate): add advisory IDs to  composer.json   config.audit.ignore , stay on current versions — unblocks installs but leaves the psr7 vuln 
in place.                                                                                                                                              
 - Path B (full fix): PR to  OpenConext/Monitor-bundle  for webmozart ^2 support, then bump  simplesamlphp/assert  → ^3.0,  simplesamlphp/saml2  →     
^4.20, enable  ext-bcmath  in the runtime image, run full PHPUnit suite for breaking changes.                                                          

Tasks:

  • We should consider upgrading to the latest simplesamlphp/saml2, as that is the biggest blocker with the most impact.
  • Check with SURF: https://github.com/simplesamlphp/xml-common version 2 seems to require ext-bcmath. The EB container does not have that extension installed. Should we add it?
  • SAML package migration #2031 might also improve the situation, but maybe not resolve it completely.

Acceptance criteria:

  • webmozart/assert:2.4.1 is able to be installed into EB so it does not hold other packages back.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions