Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking change cakephp/database #17624

Open
pimjansen opened this issue Mar 12, 2024 · 10 comments
Open

Breaking change cakephp/database #17624

pimjansen opened this issue Mar 12, 2024 · 10 comments
Labels
defect
Milestone
4.5.6

Comments

@pimjansen
Copy link

Description

Hey,

I noticed a breaking change in the upgrade of cakephp/database. Composer audit notified me of a CVE in the lib. I updated the package which gave me the 4.5.4 one in my composer.lock.

This results in my app giving exceptions on missing WRITE_ALL constants. This indicates for me that there is a breaking change since this bump is a minor.

After update cakephp/orm to 4.5.4 as well the issue is resolved. This indicates for me that the constraints are not really ok here since it is an independent package.

I understand that you cant revert stuff and cant do anything about it. But i think it is good to raise this to let you know.

Best
Pim

CakePHP Version

4.4.x

PHP Version

8.1
@ADmad ADmad mentioned this issue Mar 12, 2024
Closed
@ADmad
Copy link
Member

ADmad commented Mar 12, 2024

There's no WRITE_ALL constant in either cakephp/database or cakephp/orm packages in 4.x. Please provide the file and line number where the error was generated and preferably the full stack trace.

@ADmad ADmad added this to the 4.5.5 milestone Mar 12, 2024
@markstory
Copy link
Member

Composer audit notified me of a CVE in the lib.

Which CVE? I'm not aware of any recent CVEs being reported.

@pimjansen
Copy link
Author

pimjansen commented Mar 12, 2024
edited

Composer audit notified me of a CVE in the lib.

Which CVE? I'm not aware of any recent CVEs being reported.

Was not recent but from last year:

+-------------------+----------------------------------------------------------------------------------+
| Package           | cakephp/database                                                                 |
| Severity          | critical                                                                         |
| CVE               | CVE-2023-22727                                                                   |
| Title             | CakePHP Database\\Query::offset() and limit() methods are vulnerable to SQL      |
|                   | injection                                                                        |
| URL               | https://github.com/advisories/GHSA-6g8q-qfpv-57wp                                |
| Affected versions | >=4.4.0,<4.4.10|>=4.3.0,<4.3.11|>=4.2.0,<4.2.12                                  |
| Reported at       | 2023-01-20T17:30:20+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

@pimjansen
Copy link
Author

There's no WRITE_ALL constant in either cakephp/database or cakephp/orm packages in 4.x. Please provide the file and line number where the error was generated and preferably the full stack trace.

I dont have the full trace anymore since i patched the orm package later. The initial error was

NOTICE: PHP message: PHP Fatal error: Uncaught Error: Undefined constant Cake\Database\Connection::ROLE_WRITE in /app/vendor/cakephp/database/Connection.php:189

@ADmad
Copy link
Member

ADmad commented Mar 12, 2024
edited

Since your app has the orm package as a dependency the database package is an indirect dependency which you updated by itself instead of updating the orm.

I am unaware of any way we could specified the package deps to avoid this problem. You can only make composer auto update the dependencies of a package not update its ancestor packages.

@othercorey
Copy link
Member

So the issue is users are updating individual packages and composer.json in cakephp/orm allows all 4.x versions of those packages?

@ADmad
Copy link
Member

ADmad commented Mar 13, 2024

@othercorey Yes

@othercorey
Copy link
Member

The only solution might be replacing the versions in composer.json from the release script when tagging.

@pimjansen
Copy link
Author

Well there is not a dependency from database to orm. So technically they are standalone packages?

    "require": {
        "php": ">=7.2.0",
        "cakephp/core": "^4.0",
        "cakephp/datasource": "^4.0"
    },

So it just is a breaking change if it is not defined. The library is able to be installed standalone. If not then why is it a seperate package at all?

@ADmad
Copy link
Member

ADmad commented Mar 13, 2024

The cakephp/database can be used standalone too but you are using cakephp/orm not just cakephp/database and the latter is a dependency of cakephp/orm. You tried updating the indirect dependency instead of updating your app's direct dependency which is cakeph/orm causing the problem.

That said we are looking into limiting the dependencies of standalone packages to the same minor version for Cake dependencies to reduce the chances of version mismatch issues.

@markstory markstory modified the milestones: 4.5.5, 4.5.6 May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect
Projects
None yet
Milestone
4.5.6
Development

No branches or pull requests
4 participants
@markstory @ADmad @pimjansen @othercorey