| Composer Upgrade |
Does anyone have advice?
I have just installed a new instance of codeigniter 4 using composer. Code: composer create-project codeigniter4/appstarter myprojectI understand this method will install the latest version of Codeigniter, however my the Debug Toolbar states version 4.05 is installed I then run Code: php builds releaseTo ensure I am pointing to the correct repository I then run Code: composer updateBut composer reports "composer update Loading composer repositories with package information Info from https://repo.packagist.org: #StandWithUkraine Updating dependencies Nothing to modify in lock file Installing dependencies from lock file (including require-dev) Nothing to install, update or remove" Is there something else I need to do? Many thanks.
It seems you are doing right thing.
Code: bash-3.2$ composer create-project codeigniter4/appstarter myprojectCode: bash-3.2$ cd myproject/
Many thanks.
I'm just suprised the composer install is installing 4.05 instead of 4.2x . It seems the installer is lagging a long way behind? Again Thanks
No, it is not the installer, but probably your PHP version is behind.
v4.0.5 is the last version of v4.0.x. v4.1 requires PHP 7.3 or later. https://codeigniter4.github.io/CodeIgnit...4.1.0.html v4.2 requires PHP 7.4 or later. https://codeigniter4.github.io/CodeIgnit...4.2.0.html
Many thanks for your help.
My server is using php 7.4, however, I am using a shared hosting solution. I have double checked my php server extensions (I put together the original shared hosting document for this forum with jreklund) and all seems intact. That said would there be any new PHP extensions that need to be enabled/disabled. From memory the shared hosting document was created a number of PHP versions ago! Unfortunately, I do not posess the knowlede to know what PHP extensuios should be enabled/disabled. However, I can share my current PHP configuration with someone that does know, and then provide the necessary feedback to update shared hosting document on this forum. Again you help is very much appreciated. Update... I have installed another instance of ci4 using composer then run Code: composer updateThe update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 I'm seriously confused :-) composer returns----- Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested. Generating autoload files 21 packages you are using are looking for funding. Use the `composer fund` command to find out more! Found 5 security vulnerability advisories affecting 1 package. Run composer audit for a full list of advisories. C:\Users\Martin_T\Documents\htdocs\jobtracker-stage>composer audit Found 5 security vulnerability advisories affecting 1 package: +-------------------+----------------------------------------------------------------------------------+ | Package | codeigniter4/framework | | CVE | CVE-2022-39284 | | Title | CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4 | | URL | https://github.com/codeigniter4/CodeIgni...-745p-r637- | | | 7vvp | | Affected versions | <4.2.7 | | Reported at | 2022-10-06T09:39:42+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | codeigniter4/framework | | CVE | CVE-2022-24711 | | Title | CVE-2022-24711: Remote CLI Command Execution Vulnerability in CodeIgniter4 | | URL | https://github.com/codeigniter4/CodeIgni...-xjp4-6w75- | | | qrj7 | | Affected versions | <4.1.9 | | Reported at | 2022-02-26T00:51:52+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | codeigniter4/framework | | CVE | CVE-2022-24712 | | Title | CVE-2022-24712: Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerabilit | | | y in CodeIgniter4 | | URL | https://github.com/codeigniter4/CodeIgni...-4v37-24gm- | | | h554 | | Affected versions | <4.1.9 | | Reported at | 2022-02-26T00:51:52+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | codeigniter4/framework | | CVE | CVE-2022-21715 | | Title | CVE-2022-21715: XSS Vulnerability in API\ResponseTrait in CodeIgniter4 | | URL | https://github.com/codeigniter4/CodeIgni...-7528-7jg5- | | | 6g62 | | Affected versions | <4.1.8 | | Reported at | 2022-01-24T17:41:56+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | codeigniter4/framework | | CVE | CVE-2022-21647 | | Title | CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4 | | URL | https://github.com/codeigniter4/CodeIgni...-w6jr-wj64- | | | mc9x | | Affected versions | <4.1.6 | | Reported at | 2022-01-04T00:59:31+00:00 | +-------------------+----------------------------------------------------------------------------------+
I think you are using PHP 7.2 on CLI.
Please check the version: Code: $ php -v(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 It is no wonder. If you are using v4.0.5, these vulnerabilities are reported. Because v4.0.5 has all the vulnerabilities. You need to update to v4.2.7 or later.
(12-14-2022, 04:28 PM)kenjis Wrote:(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 (01-15-2023, 06:41 AM)68thorby68 Wrote:(12-14-2022, 04:28 PM)kenjis Wrote:(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 Thank you for your continued support, I am totally confused!! The suggestion above "You need to update to v4.2.7 or later." is exactly what i'm try to achieve :-) My php version: PHP Version 7.4.33 My Composer version: Composer version 2.4.4 2022-10-27 14:39:29 The CI4 manual says run composer update, when I do, the folloing happens (see below) but the version does NOT change. I am seriously considering a manual upgrade or completely new install (then replacing my Controllers, Models, Views, etc, and updating the relevant config files). Please, any advice is really appreciated. my_ci4_install_folder>composer update Loading composer repositories with package information Updating dependencies Lock file operations: 1 install, 0 updates, 31 removals - Removing codeigniter/coding-standard (v1.4.0) - Removing composer/pcre (3.1.0) - Removing composer/semver (3.3.2) - Removing composer/xdebug-handler (3.0.3) - Removing doctrine/annotations (1.14.2) - Removing doctrine/deprecations (v1.0.0) - Removing doctrine/lexer (2.1.0) - Removing friendsofphp/php-cs-fixer (v3.9.5) - Removing nexusphp/cs-config (v3.5.0) - Removing php-cs-fixer/diff (v2.0.2) - Removing psr/cache (1.0.1) - Removing psr/container (1.1.2) - Removing psr/event-dispatcher (1.0.0) - Removing symfony/console (v5.4.17) - Removing symfony/deprecation-contracts (v2.5.2) - Removing symfony/event-dispatcher (v5.4.17) - Removing symfony/event-dispatcher-contracts (v2.5.2) - Removing symfony/filesystem (v5.4.13) - Removing symfony/finder (v5.4.17) - Removing symfony/options-resolver (v5.4.11) - Removing symfony/polyfill-ctype (v1.27.0) - Removing symfony/polyfill-intl-grapheme (v1.27.0) - Removing symfony/polyfill-intl-normalizer (v1.27.0) - Removing symfony/polyfill-mbstring (v1.27.0) - Removing symfony/polyfill-php73 (v1.27.0) - Removing symfony/polyfill-php80 (v1.27.0) - Removing symfony/polyfill-php81 (v1.27.0) - Removing symfony/process (v5.4.11) - Removing symfony/service-contracts (v2.5.2) - Removing symfony/stopwatch (v5.4.13) - Removing symfony/string (v5.4.17) - Locking codeigniter4/codeigniter4-standard (v1.1.1) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 1 install, 0 updates, 31 removals - Removing symfony/string (v5.4.17) - Removing symfony/stopwatch (v5.4.13) - Removing symfony/service-contracts (v2.5.2) - Removing symfony/process (v5.4.11) - Removing symfony/polyfill-php81 (v1.27.0) - Removing symfony/polyfill-php80 (v1.27.0) - Removing symfony/polyfill-php73 (v1.27.0) - Removing symfony/polyfill-mbstring (v1.27.0) - Removing symfony/polyfill-intl-normalizer (v1.27.0) - Removing symfony/polyfill-intl-grapheme (v1.27.0) - Removing symfony/polyfill-ctype (v1.27.0) - Removing symfony/options-resolver (v5.4.11) - Removing symfony/finder (v5.4.17) - Removing symfony/filesystem (v5.4.13) - Removing symfony/event-dispatcher-contracts (v2.5.2) - Removing symfony/event-dispatcher (v5.4.17) - Removing symfony/deprecation-contracts (v2.5.2) - Removing symfony/console (v5.4.17) - Removing psr/event-dispatcher (1.0.0) - Removing psr/container (1.1.2) - Removing psr/cache (1.0.1) - Removing php-cs-fixer/diff (v2.0.2) - Removing nexusphp/cs-config (v3.5.0) - Removing friendsofphp/php-cs-fixer (v3.9.5) - Removing doctrine/lexer (2.1.0) - Removing doctrine/deprecations (v1.0.0) - Removing doctrine/annotations (1.14.2) - Removing composer/xdebug-handler (3.0.3) - Removing composer/semver (3.3.2) - Removing composer/pcre (3.1.0) - Removing codeigniter/coding-standard (v1.4.0) - Installing codeigniter4/codeigniter4-standard (v1.1.1): Extracting archive Package codeigniter4/codeigniter4-standard is abandoned, you should avoid using it. Use codeigniter/coding-standard instead. Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested. Generating autoload files 20 packages you are using are looking for funding. Use the `composer fund` command to find out more! Generating autoload files Generated autoload files > CodeIgniter\ComposerScripts::postUpdate > bash admin/setup.sh 'bash' is not recognized as an internal or external command, operable program or batch file. Script bash admin/setup.sh handling the post-update-cmd event returned with error code 1
@68thorby68 It seems better you learn how Composer works.
The composer.json in your project root folder is the config file for the project. That is your project config file. So it is better you know what you configure. It seems you have wrong composer.json for your project. I recommend you fix composer.json to install "codeigniter4/framework": "4.2.12". The last version in v4.2.x. v4.3 has many breaking changes. So it is better first to upgrade to v4.2. Here is the latest composer.json in appstarter: https://github.com/codeigniter4/appstart...poser.json Or it might be better you install brand-new v4.2.12 manually and move your app files to it. And don't forget to check for breaking changes related to your app code: https://codeigniter4.github.io/CodeIgnit...ading.html https://codeigniter4.github.io/CodeIgnit...index.html |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
