- Issue created by @naveenvalecha
- First commit to issue fork.
- @catch opened merge request.
- @catch opened merge request.
- @catch opened merge request.
- Status changed to Needs review
7 months ago 6:44am 10 September 2024 - π¬π§United Kingdom catch
MRs up for 11.x, 10.4.x, 10.3.x. It looks like the 11.x and 11.0.x change is identical so I didn't bother creating a dedicated 11.0.x MR, but would be great if someone could validate.
We might need to do an out-of-band 10.2.x patch release too.
- Status changed to Needs work
7 months ago 8:14am 10 September 2024 - π³πΏNew Zealand quietone
I get different changes on 11.0.x and 11.x. Looking at the composer.json for each, the twig version for 11.0.x is "twig/twig": "^3.9.3" and in 11.x it is "twig/twig": "^3.11.0".
- First commit to issue fork.
- π¬π§United Kingdom longwave UK
We should do a 10.2 release as well, a 10.2 site I work on that uses core-recommended is complaining and won't upgrade.
I tried to fix the deprecations but one of them looks a bit tricky, I think we should ignore these here and work on them in a followup.
- π¬π§United Kingdom longwave UK
I think also we should bump the minimum version of Twig in composer.json to the secure version.
- @longwave opened merge request.
- π©πͺGermany jurgenhaas Gottmadingen
Have review the 3 MRs and the code is looking good. No errors found.
Then I wanted to also give it a try and updated a project's composer.json to provide the repository of the issue fork (https://git.drupalcode.org/issue/drupal-3473195.git) and to require the branch/version
dev-3473195-10-3, but composer is not pulling that as it seems to always grab drupal/core from GitHub.Any advise on how I could require the issue fork instead? I think that's required to test the twig/twig dependency.
- π¬π§United Kingdom longwave UK
@jurgenhass you don't need the issue fork, you can override the version with Composer, for example if you are on a 10.2 project and currently using Twig 3.8 you can say
$ composer require twig/twig:'3.14 as 3.8'to install 3.14 but satisfy the dependency for 3.8.
- π©πͺGermany jurgenhaas Gottmadingen
@longwave confirmed, just had to remove
roave/security-advisoriesas well, since it still checked again 3.8Went through some heavy tests on a 10.3 site and can confirm that all is working as before, can't find any issue with the updated twig.
Leaving status at NW, could otherwise go to RTBC.
- π©πͺGermany jurgenhaas Gottmadingen
What's interesting:
drupal/core-recommendedrequires Twig~3.8whiledrupal/corerequires Twig^3.9. So, for projects that require drupal core directly without drupal/core-recommended, then we already get the latest twig version. Maybe off-topic, but shouldn't those dependency be in sync? - @longwave opened merge request.
- Status changed to Needs review
7 months ago 10:07am 10 September 2024 - π¬π§United Kingdom longwave UK
Fixed one of the deprecations because it only appears in a specific place in one test, otherwise they can wait for a followup. Synced all five active branches so they all depend on ^3.14.0, backported the deprecation skips and some other fixes that were not yet in 10.2/10.3.
- π¬π§United Kingdom longwave UK
@jurgenhass re #15 previously core-recommended was even more strict and we relaxed it to patch-level updates in #3198340: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available β , I think at the time we considered that we might want to relax it to minor-level updates for some dependencies that have good BC policies and Twig is one of those; definitely worth discussing in a followup.
- πΊπ¦Ukraine khiminrm
Hi!
I've faced with similar issue today when tried to update composer lock file.Your requirements could not be resolved to an installable set of packages. Problem 1 - Root composer.json requires drupal/core-recommended == 10.2.6.0 -> satisfiable by drupal/core-recommended[10.2.6]. - roave/security-advisories dev-latest conflicts with twig/twig <1.44.8|>=2,<2.16.1|>=3,<3.14. - drupal/core-recommended 10.2.6 requires twig/twig ~v3.8.0 -> satisfiable by twig/twig[3.8 (alias of v3.14.0)]. - Root composer.json requires roave/security-advisories == dev-latest -> satisfiable by roave/security-advisories[dev-latest].How I can fix it with this version of the Drupal core without removing roave/security-advisories?
I've tried to apply patch from the https://git.drupalcode.org/project/drupal/-/merge_requests/9461.diff, but composer couldn't apply the patch.
We should wait when the fixes will be merged and update the core on next release?
Maybe we can use some temp solution until update?Thanks!
- π©πͺGermany FeyP
@khiminrm As a temporary solution for 10.2, you can use a cross-alias as shown by @longwave in #13. Note that you should remove the cross-alias again when updating to the official release, which will hopefully come soon.
- πΊπΈUnited States _andrew Pennsylvania
For 10.3, take the 3.8 from comment #13 and change it to 3.10.3.
- πΊπΈUnited States cmlara
Itβs been slightly mentioned in Slack and implied in this issue but not explicitly stated here:
The other option is to not use
drupal/core-recommended. It is not required for a Drupal site to function.This is not a solution for every site, as it does have a slightly increased risk of breakage with third party dependencies, however it does not have the issues that have prevented security updates several times in the past. Additionally in the past some contrib modules have been incompatible with
drupal/core-recommended(needing Guzzle7 in D9 is one issue that I encountered).Really up to you as a site owner which you prefer. Short term the βrequire asβ fix is not bad, and it involves less immediate risk of a site breakage that you may not be prepared for. Long term, especially with the existing policy fore release timelines, maybe migrating your sites away from
drupal/core-recommendedwill help you more than it might hurt you. - πΊπΈUnited States loopy1492
If anyone knows the maintainers, I've made pull requests for core-recommended.
- π¬π§United Kingdom longwave UK
drupal/core-recommendedproject is maintained here, the merge requests in this issue will update Twig and then we will issue new releases of Drupal - pull requests over on GitHub are not used.It would be helpful if someone can review the MRs here and mark them RTBC if they agree with the changes.
- πΊπΈUnited States loopy1492
@longwave I'd love to help out but it's been a minute since I've referenced a gitlab branch in composer and google is failing me. If you can point me to a reference here on d.o where I can tell my site to use the gitlab branch, I can help out.
I will close the github PRs.
- Status changed to RTBC
7 months ago 9:22pm 10 September 2024 - π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Reviewed all 5 MRs and they all look consistent and have the expected changes.
Thanks everyone - π¬π§United Kingdom longwave UK
Opened π Fix Twig 3 deprecations Needs review for the deprecations added here.
- Status changed to Fixed
7 months ago 10:41am 11 September 2024 - π¬π§United Kingdom catch
Committed/pushed the individual MRs from 11.x back to 10.2.x, thanks!
- πΊπΈUnited States DamienMcKenna NH, USA
Thanks everyone for getting a quick turnaround on this!
- πΊπΈUnited States caesius
Since the security vulnerability is now public, will Drupal core get a security release on-cycle next week on the 18th or might it be released sooner?
- π©πͺGermany FeyP
@caesius This fix has already been released today in 10.2.8, 10.3.4 and 11.0.3.
- π¬π§United Kingdom catch
@caesius Drupal isn't affected by the vulnerability itself, however we released off-schedule patch releases so that there's something to update to today. e.g. https://www.drupal.org/project/drupal/releases/10.2.8 β (and 10.3, 10.4, 11.0 equivalents).
- πΊπΈUnited States caesius
Ah, I didn't realize there was a new release with this since there wasn't a security advisory. Thanks!
- π³π±Netherlands bbrala Netherlands
Just so you know.
This complely broke upgrade status and the update bot. Since we now ship deprecations with core. The d11 readiness dashboard showed like +200k errors suddenly and we eventually tracked it back here.
- π¬π§United Kingdom longwave UK
@bbrala is there anything we could do to help or should have done differently?
- π¬π§United Kingdom catch
I think we probably could have updated to https://github.com/twigphp/Twig/releases/tag/v3.11.1 in 10.2 (and maybe 10.3 and 11.0) but I for one didn't know that release existed until after the commits/release here.
Automatically closed - issue fixed for 2 weeks with no activity.
- πΉπ·Turkey levendclk istanbul
I still have this issue when I upgrade the Twig module from version 3.14.0 to 3.14.1, so I reverted back to version 3.14.0.
- π¬π§United Kingdom JamesOakley Kent, UK
@levendclk, there is a fresh and different advisory for Twig < 3.14.1. https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
The issue being discussed here was composer configuration for Drupal core that wouldn't let you manually update Twig to 3.14.0 when that was the secured version. That is now fixed, you can update to 3.14.0, and as I've just verified in response to the latest vulnerability you can also update to 3.14.1.
- πΉπ·Turkey levendclk istanbul
Thank you, James. As you mentioned, itβs locked to 3.14.0 and works fine. I also want to thank you especially for the quick response.
3.41.1 exhibits bugs in Drupal. See π¬ Updating phpstan and twig via Composer generates a blank page when editing a node Active .
