Implications of removing roave/security-advisories?

the_lar · September 26, 2024, 8:23am

I’m building a plugin that requires google/apiclient:2.8.1 but in order to install it I’ve had to remove roave/security-advisories because of the following conflict:

  Problem 1
    - Root composer.json requires google/apiclient 2.8.1 -> satisfiable by google/apiclient[v2.8.1].
    - google/apiclient v2.8.1 requires firebase/php-jwt ~2.0||~3.0||~4.0||~5.0 -> satisfiable by firebase/php-jwt[2.0.0, v2.1.0, v2.2.0, v3.0.0, v4.0.0, v5.0.0, ..., v5.5.1].
    - roave/security-advisories dev-master conflicts with firebase/php-jwt v5.5.1.
    - roave/security-advisories dev-master conflicts with firebase/php-jwt v2.2.0.
    - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

I also had to remove another package but that’s a side issue and not as relevant because we no longer require that functionality. However I’m just wondering

If anyone can suggest a workaround to keep roave/security-advisories or
If not, what are the implications I should be aware of?

Much appreciated.

alwaysblank · October 4, 2024, 2:03am

This conflict is roave doing its job: Those versions of firebase/php-jwt seem to have security advisories against them.

You could probably get it to work by explicitly requiring a version of firebase/php-jwt which does not have a security advisory, since the api client’s requirements are pretty broad. If that’s somehow not an option, or you just want to live dangerously and install packages with known security issues (not recommended) you may be able to explicitly require a version of firebase/php-jwt with an alias to a “safe” version. Using a package you know has a security problem is not a great idea, though.