public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Fix root aliases causing problems when auditing locked dependencies, fixes #11771

pull/11688/head
Jordi Boggiano 2024-02-07 11:37:50 +01:00
parent fa040131b0
commit 0c99bfc8fd
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/Composer/Repository/RepositorySet.php
View File

@ -30,6 +30,7 @@ use Composer\Semver\Constraint\Constraint;
use Composer\Semver\Constraint\ConstraintInterface; use Composer\Semver\Constraint\ConstraintInterface;
use Composer\Package\Version\StabilityFilter; use Composer\Package\Version\StabilityFilter;
use Composer\Semver\Constraint\MatchAllConstraint; use Composer\Semver\Constraint\MatchAllConstraint;
use Composer\Semver\Constraint\MultiConstraint;
/** /**
* @author Nils Adermann <naderman@naderman.de> * @author Nils Adermann <naderman@naderman.de>
@ -245,7 +246,15 @@ class RepositorySet
{ {
$map = []; $map = [];
foreach ($packages as $package) { foreach ($packages as $package) {
$map[$package->getName()] = new Constraint('=', $package->getVersion()); // ignore root alias versions as they are not actual package versions and should not matter when it comes to vulnerabilities
if ($package instanceof AliasPackage && $package->isRootPackageAlias()) {
continue;
}
if (isset($map[$package->getName()])) {
$map[$package->getName()] = new MultiConstraint([new Constraint('=', $package->getVersion()), $map[$package->getName()]], false);
} else {
$map[$package->getName()] = new Constraint('=', $package->getVersion());
}
} }
return $this->getSecurityAdvisoriesForConstraints($map, $allowPartialAdvisories); return $this->getSecurityAdvisoriesForConstraints($map, $allowPartialAdvisories);