[TASK] Replace former extension packages using self.version

The so called "death star" range for replacements has to be used with caution [1] as it replaces all versions of the replaced packages, including old or insecure versions. That effectively means the replacing package marks itself as matching in queries for insecure versions, once a security advisory[2] is submitted for the replaced packages. The extension replacements are now adapted to use the more precise self.version qualifier to avoid matching named security advisories as suggested by: Roave/SecurityAdvisories#127 (comment) [1] https://getcomposer.org/doc/04-schema.md#replace [2] GHSA-cgr9-h9qq-x9fx Resolves: #103082 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6353df15d6cbf039bab60644a103669495b26605 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82841 Tested-by: core-ci <[email protected]> Tested-by: Benjamin Franzke <[email protected]> Reviewed-by: Benjamin Franzke <[email protected]>
TYPO3-CMS · Feb 9, 2024 · 50c6a83 · 50c6a83
1 parent 514dac0
commit 50c6a83
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/composer.json b/composer.json
@@ -90,9 +90,9 @@
 		"typo3/cms": "*"
 	},
 	"replace": {
-		"typo3/cms-lang": "*",
-		"typo3/cms-saltedpasswords": "*",
-		"typo3/cms-sv": "*"
+		"typo3/cms-lang": "self.version",
+		"typo3/cms-saltedpasswords": "self.version",
+		"typo3/cms-sv": "self.version"
 	},
 	"provide": {
 		"psr/http-factory-implementation": "1.0",