Task Security Enlightn will now only tell what composer packages ha…
#30
Conversation
…ve security issues, but will not block the passing of the testing suite.
|
|
||
| ## 2.19.2 | ||
| ### Fixed | ||
| - Task `Security Enlightn` will now only tell what composer packages have security issues, but will not block |
There was a problem hiding this comment.
Can you share why we don't want this to block anymore?
There was a problem hiding this comment.
I now get the error that magento has a security issue if a new patch is released or if we have clients with older magento versions.
Like this for example:
magento/product-community-edition (2.4.4)
- CVE-2024-34102: Arbitrary Code Execution through Improper Restriction of XML External Entity Reference (XXE) vulnerability
https://helpx.adobe.com/security/products/magento/apsb24-40.html
|
|
||
| ## 2.19.2 | ||
| ### Fixed | ||
| - Task `Security Enlightn` will now only tell what composer packages have security issues, but will not block |
There was a problem hiding this comment.
This was not broken AFAIK, so to me this feels like a (breaking) change, of which I'm not sure if we want to apply this. To my understanding people can also opt out of this in their local/project configuration
If we want this to happen I think this should be in 3.0 as until now we trust our systems to stop working once a a security issue is found.
I Don't think we should lower our barriers for those that want to run insecure code
There was a problem hiding this comment.
Alright than i will close this pr and let people resolve it within their projects.
|
@rutgerrademaker I will be working on v3 through the DO1 project, let's discuss whether we want to include this commit or not. |
…ve security issues, but will not block
the passing of the testing suite.