Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104034 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 12032 invoked from network); 2 Feb 2019 21:19:34 -0000 Received: from unknown (HELO mail-wr1-f53.google.com) (209.85.221.53) by pb1.pair.com with SMTP; 2 Feb 2019 21:19:34 -0000 Received: by mail-wr1-f53.google.com with SMTP id q18so10355458wrx.9 for ; Sat, 02 Feb 2019 10:00:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=Z0TrPrMvsva4Sw4BlBJuuofwwR/KGcqj0BbuA/cFFM8=; b=kZckcTTocBeMTFZarkbl5U1ozTYjXrYlcLXYZKvGNEdlWIYj3ktQG4+w88QasJUZad yMkcoHUegP6Lk0xiJnov8HI+w/uCya/MxYjEMPfkdMDvlUsLb3Ooy9WAsPAfSUl6bDCc Tocg7+anbkTVzt+ea7y3vNRxbXHDznNNmeRkOSmsyNrW0aYWTd6XGOMHa651rkrboklX auzif9bNRxE2JdEPSSZg4TVtMWyc7+huKQC0CMLcJ7ID5Iw2AKza0XHgzalZfTjKRUJG r7wQD+Qv38jVILzd7DsI28U6O6iPnF600gntP/mkEVjsXggF7xCZz9xoAIWAUulqsGGe vksw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Z0TrPrMvsva4Sw4BlBJuuofwwR/KGcqj0BbuA/cFFM8=; b=Nv8BlxcwMlre1twknQP6X6dlvqn78avTupIsaJGbU56C7Er/fdMgiieQcha6va5Ub+ RCMwkR7rMOXYowybpkPl44tSsQEi+2PwSvlp21ZMlcKDSguM5G9wUNTGehlQdVxnTCoa 7zWY2xStr1bUZN6ISDxq/593ADTontnuZymc8p/RfBHV2VX5yT4Y76qra2eBOVMxdaTn 9KHncGrdhBMO8BNByn0AlfxKuZoehe+bMBASiML+3S2LxxQeqhhga2N2tX5XDyZKGkIS pjhWdaLclLp0DQ8o1fFVz4UVxhVSIDLWo0mALfYQ/nWktC6Z5OK6cJOb6txF+8noFf10 JIBA== X-Gm-Message-State: AJcUukcJSYjIfVP027/AlrPsJTxbnYWcsZq/Jv4Mntl28Q2vSDZCBCE5 eNJ9GawXEDv7y84l3Bkn3H6fseaY X-Google-Smtp-Source: ALg8bN7uTn7RLH6AHjYphcZOr0+sZXYjmZm38U1ihDe9kdLCXHO20b4LptnM3gH21CYRD3EonuxGjA== X-Received: by 2002:adf:e3d0:: with SMTP id k16mr45133072wrm.223.1549130399100; Sat, 02 Feb 2019 09:59:59 -0800 (PST) Received: from [192.168.0.16] (cpc84253-brig22-2-0-cust114.3-3.cable.virginm.net. [81.108.141.115]) by smtp.googlemail.com with ESMTPSA id c13sm10155306wrb.38.2019.02.02.09.59.57 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 02 Feb 2019 09:59:58 -0800 (PST) To: internals@lists.php.net References: <7a909cd3-5d0f-8f2e-fba8-009778311bf0@php.net> Message-ID: <1cabe7e6-8e7d-fdc9-a2b6-2aa4ddf911da@gmail.com> Date: Sat, 2 Feb 2019 17:59:57 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Subject: Re: [PHP-DEV] Disable PEAR by default From: rowan.collins@gmail.com (Rowan Collins) On 02/02/2019 01:08, Alice Wonder wrote: > That version has vulnerability, developer fixed it in newer release, > but composer keeps pulling in the older version because that is what > composer provides. Have you seen https://packagist.phpcomposer.com/packages/roave/security-advisories ? It's a very simple composer package which lists packages with known vulnerabilities as incompatible, so that composer will skip them even if it means downgrading to meet the constraints of other packages you've requested. I'm not sure what other solution any package manager could provide, other than allowing you to install any version you liked, even if the authors stated that they were incompatible. Regards, -- Rowan Collins [IMSoP]