From 40536cb90bf2b36e9725f78d5a0b34e03cfdce1f Mon Sep 17 00:00:00 2001
From: Thomas Hohn <tho@gyldendal.dk>
Date: Thu, 8 Feb 2024 12:06:45 +0100
Subject: [PATCH] [TASK] Replace former extension packages using self.version

The so called "death star" range for replacements has to be
used with caution [1] as it replaces all versions of the
replaced packages, including old or insecure versions.

That effectively means the replacing package marks itself as matching
in queries for insecure versions, once a security advisory[2]
is submitted for the replaced packages.

The extension replacements are now adapted to use the more precise
self.version qualifier to avoid matching named security advisories as
suggested by:
https://github.com/Roave/SecurityAdvisories/issues/127#issuecomment-1933647035

[1] https://getcomposer.org/doc/04-schema.md#replace
[2] https://github.com/advisories/GHSA-cgr9-h9qq-x9fx

Resolves: #103082
Releases: main, 13.0, 12.4, 11.5
Change-Id: I6353df15d6cbf039bab60644a103669495b26605
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
---
 composer.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/composer.json b/composer.json
index 1564f38018..c585e5869a 100644
--- a/composer.json
+++ b/composer.json
@@ -90,9 +90,9 @@
 		"typo3/cms": "*"
 	},
 	"replace": {
-		"typo3/cms-lang": "*",
-		"typo3/cms-saltedpasswords": "*",
-		"typo3/cms-sv": "*"
+		"typo3/cms-lang": "self.version",
+		"typo3/cms-saltedpasswords": "self.version",
+		"typo3/cms-sv": "self.version"
 	},
 	"provide": {
 		"psr/http-factory-implementation": "1.0",