-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking change cakephp/database #17624
Comments
There's no |
Which CVE? I'm not aware of any recent CVEs being reported. |
Was not recent but from last year:
|
I dont have the full trace anymore since i patched the orm package later. The initial error was NOTICE: PHP message: PHP Fatal error: Uncaught Error: Undefined constant Cake\Database\Connection::ROLE_WRITE in /app/vendor/cakephp/database/Connection.php:189 |
Since your app has the orm package as a dependency the database package is an indirect dependency which you updated by itself instead of updating the orm. I am unaware of any way we could specified the package deps to avoid this problem. You can only make composer auto update the dependencies of a package not update its ancestor packages. |
So the issue is users are updating individual packages and composer.json in cakephp/orm allows all 4.x versions of those packages? |
@othercorey Yes |
The only solution might be replacing the versions in composer.json from the release script when tagging. |
Well there is not a dependency from database to orm. So technically they are standalone packages?
So it just is a breaking change if it is not defined. The library is able to be installed standalone. If not then why is it a seperate package at all? |
The That said we are looking into limiting the dependencies of standalone packages to the same minor version for Cake dependencies to reduce the chances of version mismatch issues. |
Description
Hey,
I noticed a breaking change in the upgrade of cakephp/database. Composer audit notified me of a CVE in the lib. I updated the package which gave me the 4.5.4 one in my composer.lock.
This results in my app giving exceptions on missing WRITE_ALL constants. This indicates for me that there is a breaking change since this bump is a minor.
After update cakephp/orm to 4.5.4 as well the issue is resolved. This indicates for me that the constraints are not really ok here since it is an independent package.
I understand that you cant revert stuff and cant do anything about it. But i think it is good to raise this to let you know.
Best
Pim
CakePHP Version
4.4.x
PHP Version
8.1
The text was updated successfully, but these errors were encountered: