Unrelated `conflict` changes (`typo3/cms-*` vs. `mediawiki/semantic-media-wiki`)

[ohader]

Description

The package typo3/cms-saltedpasswords <0.2.13 suddenly is marked as insecure and blocks the installation the typo3/cms-core package (due to having a replaces declaration for typo3/cms-saltedpasswords: * in typo3/cms-core).

Observation

A bunch of changes were committed recently to roave/security-advisories - where the conflict declaration does not match with the actual original commit in sensiolabs/security-advisories, for instance:

• 5801157
  changes conflict for typo3/cms-saltedpasswords, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)
• b5487e1
  changes conflict for typo3/cms-frontend, typo3/cms-backend and typo3/cms-install, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)
• 1692fcb
  changes conflict for typo3/cms-frontend, original commit is about mediawiki/semantic-media-wiki (FriendsOfPHP/security-advisories@baf9dd7)

CLI commands used to reproduce the behavior

composer req --dev roave/security-advisories:dev-latest

./composer.json has been created
Running composer update roave/security-advisories
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking roave/security-advisories (dev-latest b5487e1)
[...]

composer req typo3/cms-core:^12.4

./composer.json has been updated
Running composer update typo3/cms-core
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.7.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.6.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.5.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.3.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.2.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.1.
    - roave/security-advisories dev-latest conflicts with typo3/cms-core v12.4.0.
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.10 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.9 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories dev-latest conflicts with typo3/cms-saltedpasswords <0.2.13 (typo3/cms-core v12.4.8 replaces typo3/cms-saltedpasswords *).
    - roave/security-advisories is locked to version dev-latest and an update of this package was not requested.
    - Root composer.json requires typo3/cms-core ^12.4 -> satisfiable by typo3/cms-core[v12.4.0, ..., v12.4.10].

[Ocramius]

See:

• Issues/451 Add advisory information to a commit messages SecurityAdvisoriesBuilder#459
• Include advisory source in new security advisory commits SecurityAdvisoriesBuilder#451

This repo only tracks the advisories: check https://github.com/advisories for the latest updates.

[Ocramius]

typo3/cms-core should not replace with a deathstar range there: self.version or something more precise should be used to avoid affected version ranges.

[ohader]

For the records: A recent change at GitHub "hallucinated" a Composer package, which caused this behavior (side-note: the original advisory was from 2010, Composer was established in 2012 - two years later).
→ GitHub advisory change: github/advisory-database@b403b05