Skip to content

[6.x] Bump framework version to include SQL server security fix #5602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2021
Merged

[6.x] Bump framework version to include SQL server security fix #5602

merged 1 commit into from
Apr 29, 2021

Conversation

netpok
Copy link
Contributor

@netpok netpok commented Apr 29, 2021

Security advisory: GHSA-4mg9-vhxq-vm7j

@netpok
Bump framework version
0cc380e 
to include SQL server security fix for GHSA-4mg9-vhxq-vm7j
@GuidoHendriks
Copy link

What does that solve, you already get a higher version if you create a new app or update?

@netpok
Copy link
Contributor Author

netpok commented Apr 29, 2021
edited
Loading

This locks the minimum version so there shouldn't be a chance to install a lower version unless you manually modify it. Generally you're right and it should install a newer version.

But locking minimum version to non vulnerable versions are still a good practice and was usually done in Laravel too (see #5354). Also this only affects newly created projects so there is no backward compatibility issues.

For example you install my/package via composer which needs illuminate/support: 6.20.15 then composer will install that version of the framework even though there are newer version available. This way it wont install that package unless you manually allow it by lowering the version constraint.

@taylorotwell taylorotwell merged commit 5c137aa into laravel:6.x Apr 29, 2021
@netpok netpok deleted the bump-version-6.x branch April 30, 2021 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@driesvints driesvints driesvints approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@netpok @GuidoHendriks @driesvints @taylorotwell