View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007762 | OXID eShop (all versions) | 8. --- Twig engine --- | public | 2025-01-15 23:39 | 2025-01-20 14:46 |
| Reporter | mboesing-tqgg | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | open | ||
| Product Version | 7.2.0 | ||||
| Summary | 0007762: twig-component is blocking twig/twig updates | ||||
| Description | Hey there, from what I understood, the `oxid-esales/oxideshop-metapackage-*` packages are meant to lock specific composer dependencies to the versions tested with recent releases. However, somehow, between `2.4.0` and `2.5.0` of the `oxid-esales/twig-component` releases, the twig component startet to enforce `twig/twig` in version `3.8.0` (which has at least 3 vulnerabilities exposed by `composer audit`). So, the version `2.4.0` of `oxid-esales/twig-component` was requiring `twig/twig` with a proper constraint `^.3.0`. From what I can see, the `2.5.0` release should have changed that constraint to `^3.8.0` if that version depends on a feature which was introduced in that version rather than enforcing it. Are you guys considering this to be changed? I am aware of that hacky solution to actually replace older dependencies with aliases in composer. It looks to me as if OXID is encouraging developers to actually use that "feature" even tho it is considered bad practice. Not only that if that is being used, future updates are probably being prevented due to the aliasing - its also not a good idea to hassle with composers SAT solver. Thats why I reach out to you guys - I hope we can find a proper solution instead. Thanks in advance. | ||||
| Steps To Reproduce | - require `oxid-esales/twig-component` - check `twig/twig` version (`3.8.0`) | ||||
| Tags | Composer, Twig | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | All | ||||
| Database Version | Not defined | ||||
|
|
Hi @mboesing-tqgg, the twig package version 3.8 is currently locked, since newer version aren't compatible with the shop. Our development team is aware of it and checks every new twig version if we can increase the version with a newer shop release. The mentioned three vulnerabilities have in common, that twig's sandbox mode must be partial active - besides other challenges. The sandbox mode itself is not supported currently and must not be used. We do plan to support it and by that we will have a technical documentation and, of course, an updated twig package, without these issues. kind regards Michael |
