On 02/02/2019 01:08, Alice Wonder wrote:
That version has vulnerability, developer fixed it in newer release, but composer keeps pulling in the older version because that is what composer provides.
Have you seen https://packagist.phpcomposer.com/packages/roave/security-advisories ?
It's a very simple composer package which lists packages with known vulnerabilities as incompatible, so that composer will skip them even if it means downgrading to meet the constraints of other packages you've requested.
I'm not sure what other solution any package manager could provide, other than allowing you to install any version you liked, even if the authors stated that they were incompatible.
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
