Skip to content

Composer audit fails due to an unexpected package version. #170

New issue
New issue
Closed
Bug
Closed
Composer audit fails due to an unexpected package version.#170
Bug
@izucken

Description

@izucken
izucken
opened on Jun 30, 2025

Supposedly I am running a recent version of composer:

Running 2.8.9 (2025-05-13 14:01:37) with PHP 8.0.6 on Linux / 6.6.87.2-microsoft-standard-WSL2

(but not the most recent PHP version which may or may not play a role...)

It fails on parsing version of a package:

In VersionParser.php line 526:
Could not parse version constraint <=3.20-test2: Invalid version string "3.20-test2"
Exception trace: 
  at phar:///usr/local/bin/composer/vendor/composer/semver/src/VersionParser.php:526
 Composer\Semver\VersionParser->parseConstraint() at phar:///usr/local/bin/composer/vendor/composer/semver/src/VersionParser.php:281
 Composer\Semver\VersionParser->parseConstraints() at phar:///usr/local/bin/composer/src/Composer/Package/Version/VersionParser.php:34
 Composer\Package\Version\VersionParser->parseConstraints() at phar:///usr/local/bin/composer/src/Composer/Advisory/PartialSecurityAdvisory.php:45
 Composer\Advisory\PartialSecurityAdvisory::create() at phar:///usr/local/bin/composer/src/Composer/Repository/ComposerRepository.php:655
 Composer\Repository\ComposerRepository->Composer\Repository\{closure}() at phar:///usr/local/bin/composer/src/Composer/Repository/ComposerRepository.php:724
 Composer\Repository\ComposerRepository::Composer\Repository\{closure}() at n/a:n/a
 array_map() at phar:///usr/local/bin/composer/src/Composer/Repository/ComposerRepository.php:723
 Composer\Repository\ComposerRepository->getSecurityAdvisories() at phar:///usr/local/bin/composer/src/Composer/Repository/RepositorySet.php:276
 Composer\Repository\RepositorySet->getSecurityAdvisoriesForConstraints() at phar:///usr/local/bin/composer/src/Composer/Repository/RepositorySet.php:261
 Composer\Repository\RepositorySet->getMatchingSecurityAdvisories() at phar:///usr/local/bin/composer/src/Composer/Advisory/Auditor.php:74
 Composer\Advisory\Auditor->audit() at phar:///usr/local/bin/composer/src/Composer/Command/AuditCommand.php:80
 Composer\Command\AuditCommand->execute() at phar:///usr/local/bin/composer/vendor/symfony/console/Command/Command.php:298
 Symfony\Component\Console\Command\Command->run() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:1040
 Symfony\Component\Console\Application->doRunCommand() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:301
 Symfony\Component\Console\Application->doRun() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:397
 Composer\Console\Application->doRun() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:171
 Symfony\Component\Console\Application->run() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:137
 Composer\Console\Application->run() at phar:///usr/local/bin/composer/bin/composer:98
 require() at /usr/local/bin/composer:29

By going through dependencies one by one I could find the package with an unexpected version - sunhater/kcfinder.

The package is fairly old and abandoned, but legacy projects may still use it. It is important to run audits for old projects as well. It may not always be possible to remove the package immediately. I don't know if it is possible to add new entries unsupported by composer to packagist security advisories lists.

Suggestions:

  • Version parse error may include related package name for faster issue resolution.
  • Composer should support all kinds of tags that packagist allows.
  • Composer audit should never fail on unexpected/broken version strings, but maybe report such packages.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions