Skip to content

Update dependencies using hotfixed process #753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
schlessera merged 2 commits into from
May 6, 2025
Merged

Update dependencies using hotfixed process #753

schlessera merged 2 commits into from
May 6, 2025

Conversation

@schlessera
Copy link
Member

@schlessera schlessera commented May 6, 2025
edited
Loading

This uses a hotfixed version of symfony/process (tagged as 5.9.99) to combine the fix for GHSA-qq5c-677p-737q with PHP 5.6 compatibility.

Fixes #719

@schlessera schlessera requested a review from a team as a code owner May 6, 2025 11:20
@schlessera schlessera requested a review from swissspidy May 6, 2025 11:20
@schlessera
Copy link
Member Author

schlessera commented May 6, 2025

@swissspidy would love your thoughts on this.

@swissspidy
Copy link
Member

swissspidy commented May 6, 2025

Hmm doesn't this cause issues for anyone who requires wp-cli/wp-cli-bundle via Composer? Because they would need the same repositories config — unless we'd push this hotfix on Packagist with a new name (wp-cli/process) and a replace. Also, symfony/process is included via composer/composer from wp-cli/package-command, so maybe that dependency change should happen there?

Or is the idea simply to get composer update working again in this repo & to have an updated Phar, but not touch the rest?

@schlessera
Copy link
Member Author

schlessera commented May 6, 2025

Good point with the Composer flow. Normally, you shouldn't use wp-cli/wp-cli-bundle when using a Composer flow, but some people might still do that.

On the other hand, if they are already using the wrong package, we might as well make sure they are not hitting a security issue.

Let me think some more about this...

@swissspidy
Copy link
Member

swissspidy commented May 6, 2025

Normally, you shouldn't use wp-cli/wp-cli-bundle when using a Composer flow, but some people might still do that.

Seems relatively common: https://github.com/search?q=path%3Acomposer.json+%22wp-cli%2Fwp-cli-bundle%22&type=code

@schlessera
Copy link
Member Author

schlessera commented May 6, 2025

Ignoring coverage failure and merging.

@schlessera schlessera merged commit e6a3eb3 into main May 6, 2025
42 of 43 checks passed
@schlessera schlessera deleted the update-dependencies-2025-05-06 branch May 6, 2025 19:11
@schlessera schlessera added this to the 2.12.0 milestone May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swissspidy swissspidy Awaiting requested review from swissspidy

Assignees

No one assigned

Labels

scope:distribution

Projects

None yet

Milestone

2.12.0

Development

Successfully merging this pull request may close these issues.

Package build fails with symfony/process conflict

3 participants

@schlessera @swissspidy