Security advisories¶
Ibexa security advisories¶
Ibexa security advisories are released via your Service portal, and via Security advisories. The latter is available to non-subscribers.
Package security advisories¶
Overall, it's recommended to keep your Composer packages up to date.
You can run the following command to check for available updates without installing them:
1 | |
When a security issue is discovered in a Composer package, a security advisory is issued, and the affected versions of the package become blocked from installation unless you take action.
When installing or updating, Composer avoids installing packages that are affected by security advisories. However, this can create constraint issues that make installation or updates impossible. For example, security fixes might not be available for unsupported PHP versions.
Example of a Composer output about a package with security issues when trying to install:
1 | |
Composer's output isn't always this verbose about security advisories blocking installation or updates.
For example, imagine this error appeared recently when trying to install Ibexa DXP 4.6 on PHP 7.4:
1 2 | |
It worked before. You can check packagist.org, or an already running instance of Ibexa DXP, to see which version of this package was previously accepted.
In this example, twig/twig v3.11.3 matches the constraints ^3.0 and PHP 7.4 >=7.2.5.
1 2 3 4 5 | |
It's highly recommended that you not install the affected package, and instead meet the requirements of the fixed version.
You can use the https://packagist.org/security-advisories/ resource to learn more about a security advisory, such as the affected packages and versions, a detailed description of the issue, and other possible reference IDs for the advisory: PKSA (Packagist Security Advisory), GHSA (GitHub Security Advisories), and CVE (Common Vulnerabilities and Exposures).
If you need to, upgrade PHP and migrate your custom code to be compatible with the newer PHP version, for example by using Rector.
If updating the affected package isn't possible, carefully review the security issue and assess the risk.
If you choose to implement countermeasures instead of upgrading, you can ignore the security advisory.
We recommend using Composer's config.policy.advisories.ignore-id setting, providing for each entry the reason why you consider it safe to ignore.
This way, you'll still be warned if the package is affected by a new security advisory.
1 2 3 4 5 6 7 8 9 10 11 12 | |