This release also includes two security fixes. These patches have been backported to Silverstripe CMS Recipe if you’re not quite ready to upgrade to 4.9.0.
Unfortunately, trying to require these in the root composer.json doesn’t work because of the inflexible requirements from the pre-4.9 recipe-cms. So, at present, one would have to eject from the recipe to get the security updates. Hence my question about a point update to the 4.8 series of the recipe.
Example:
silverstripe/recipe-cms 4.8.0 requires silverstripe/admin 1.8.0@stable -> found silverstripe/admin[1.8.0] but it conflicts with your root composer.json require (^1.8.1)
Ah… came here because I have exactly the same problem.
And additionally, was trying to find out what the ‘@stable’ would mean in this context ("silverstripe/recipe-cms": "~4.9.0@stable"). What would mark a release as stable?
@stable disallows anything that’s marked alpha, beta, dev, RC, or the like. It overrides any laxity your composer.json may have in minimum-stability or prefer-stable.
Thnx. I assumed the @stable was preventing the 1.8.0 > 1.8.1 update. And thus curious how this 1.8.1 tag in silverstripe-admin would be marked as stable (as I couldn’t find anything about it in the repo). But now I came to understand that the restrictions in the requiremenst of silverstripe/recipe-cms are the problem.
I tried to fork it and make a 4.8.1 tag on my own branch, but that didn’t resolve to a set over installable packages either, unfortunately. But might have missed something in the process… Commits · hamaka/recipe-cms · GitHub
Glad to see it’s been remedied. Now I have only 2 projects in which to unwind ejecting from the recipe, which had been my approach to get the security updates without launching 4.9 just yet.
Edit: Oh, I see that’s not the official repository. I hope the Silverstripe team will follow suit soon!
We didn’t release a new recipe-cms 1.8 version because the two vulnerabilities didn’t have an high enough impact to warrant a full release.
If you don’t want to inline recipe-cms, but still want to install a newer patch release, you can use aliases.
"require": {
"silverstripe/recipe-cms": "4.8.0",
"silverstripe/admin": "1.8.1 as 1.8.0"
}
Going forward, this won’t be an issue anymore because recipe-cms and recipe-core 4.9.0 now ship with ~ constraint which allows you to install a later patch release.
Thanks for letting me know it’s been resolved . With this, I am left with only 2 projects that need to be unwound before ejecting from the recipe, which is the approach I used to obtain the security updates without launching 4.9.
That doesn’t seem to be the official repository I see. It will be great to see the Silverstripe team following suit shortly!