composer/composer requirement should be higher version
garrettboone opened this issue · 3 comments
FYI: https://packagist.org/packages/composer/composer/advisories?version=5517140 v2.1.8 and lower have vuln
I was able to locally modify composer.json with:
"require": {
"composer/composer": "^2.1.9",
"composer/xdebug-handler": "^2.0",
"php": ">=7.2.9 || ^8.0"...etc
After composer update -W
there were no composer conflicts.
Yes,it makes sense to lock this down on a higher version in composer.json
.. Would you like to make a small PR for both bolt/project
and bolt/core
to do so?
Yes I would, I can do later today and will double check for conflicts again.
@bobdenotter You know, maybe it's not a big deal after all. I just reinstalled the project from scratch and no vulnerabilities are showing. I also checked again on composer/composer and see version 2.1.9, 10 and 11 are all just in the past couple of months - which is after I previously installed bolt. Version 2.1.11 is showing after fresh install so I think we're good. Sorry for the false alarm, I will close this.