CodeIgniter Forums
Composer Upgrade - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: Composer Upgrade (/showthread.php?tid=85858)

Pages: 1 2


Composer Upgrade - 68thorby68 - 12-13-2022

Does anyone have advice?
I have just installed a new instance of codeigniter 4 using composer.
 
Code:
composer create-project codeigniter4/appstarter myproject

I understand this method will install the latest version of Codeigniter, however my the Debug Toolbar states version 4.05 is installed

I then run
Code:
php builds release

To ensure I am pointing to the correct repository

I then run
Code:
composer update

But composer reports

"composer update
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove"

Is there something else I need to do?

Many thanks.


RE: Composer Upgrade - kenjis - 12-13-2022

It seems you are doing right thing.


Code:
bash-3.2$ composer create-project codeigniter4/appstarter myproject
Creating a "codeigniter4/appstarter" project at "./myproject"
Installing codeigniter4/appstarter (v4.2.10)
  - Installing codeigniter4/appstarter (v4.2.10): Extracting archive
Created project in /Users/kenji/tmp/myproject
Loading composer repositories with package information
Updating dependencies
Lock file operations: 36 installs, 0 updates, 0 removals
  - Locking codeigniter4/framework (v4.2.10)
  - Locking doctrine/instantiator (1.4.1)
  - Locking fakerphp/faker (v1.21.0)
  - Locking kint-php/kint (4.2.3)
  - Locking laminas/laminas-escaper (2.12.0)
  - Locking mikey179/vfsstream (v1.6.11)
  - Locking myclabs/deep-copy (1.11.0)
  - Locking nikic/php-parser (v4.15.2)
  - Locking phar-io/manifest (2.0.3)
  - Locking phar-io/version (3.2.1)
  - Locking phpunit/php-code-coverage (9.2.20)
  - Locking phpunit/php-file-iterator (3.0.6)
  - Locking phpunit/php-invoker (3.1.1)
  - Locking phpunit/php-text-template (2.0.4)
  - Locking phpunit/php-timer (5.0.3)
  - Locking phpunit/phpunit (9.5.27)
  - Locking psr/container (2.0.2)
  - Locking psr/log (1.1.4)
  - Locking sebastian/cli-parser (1.0.1)
  - Locking sebastian/code-unit (1.0.8)
  - Locking sebastian/code-unit-reverse-lookup (2.0.3)
  - Locking sebastian/comparator (4.0.8)
  - Locking sebastian/complexity (2.0.2)
  - Locking sebastian/diff (4.0.4)
  - Locking sebastian/environment (5.1.4)
  - Locking sebastian/exporter (4.0.5)
  - Locking sebastian/global-state (5.0.5)
  - Locking sebastian/lines-of-code (1.0.3)
  - Locking sebastian/object-enumerator (4.0.4)
  - Locking sebastian/object-reflector (2.0.4)
  - Locking sebastian/recursion-context (4.0.4)
  - Locking sebastian/resource-operations (3.0.3)
  - Locking sebastian/type (3.2.0)
  - Locking sebastian/version (3.0.2)
  - Locking symfony/deprecation-contracts (v2.5.2)
  - Locking theseer/tokenizer (1.2.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 36 installs, 0 updates, 0 removals
  - Installing psr/log (1.1.4): Extracting archive
  - Installing laminas/laminas-escaper (2.12.0): Extracting archive
  - Installing kint-php/kint (4.2.3): Extracting archive
  - Installing codeigniter4/framework (v4.2.10): Extracting archive
  - Installing symfony/deprecation-contracts (v2.5.2): Extracting archive
  - Installing psr/container (2.0.2): Extracting archive
  - Installing fakerphp/faker (v1.21.0): Extracting archive
  - Installing mikey179/vfsstream (v1.6.11): Extracting archive
  - Installing sebastian/version (3.0.2): Extracting archive
  - Installing sebastian/type (3.2.0): Extracting archive
  - Installing sebastian/resource-operations (3.0.3): Extracting archive
  - Installing sebastian/recursion-context (4.0.4): Extracting archive
  - Installing sebastian/object-reflector (2.0.4): Extracting archive
  - Installing sebastian/object-enumerator (4.0.4): Extracting archive
  - Installing sebastian/global-state (5.0.5): Extracting archive
  - Installing sebastian/exporter (4.0.5): Extracting archive
  - Installing sebastian/environment (5.1.4): Extracting archive
  - Installing sebastian/diff (4.0.4): Extracting archive
  - Installing sebastian/comparator (4.0.8): Extracting archive
  - Installing sebastian/code-unit (1.0.8): Extracting archive
  - Installing sebastian/cli-parser (1.0.1): Extracting archive
  - Installing phpunit/php-timer (5.0.3): Extracting archive
  - Installing phpunit/php-text-template (2.0.4): Extracting archive
  - Installing phpunit/php-invoker (3.1.1): Extracting archive
  - Installing phpunit/php-file-iterator (3.0.6): Extracting archive
  - Installing theseer/tokenizer (1.2.1): Extracting archive
  - Installing nikic/php-parser (v4.15.2): Extracting archive
  - Installing sebastian/lines-of-code (1.0.3): Extracting archive
  - Installing sebastian/complexity (2.0.2): Extracting archive
  - Installing sebastian/code-unit-reverse-lookup (2.0.3): Extracting archive
  - Installing phpunit/php-code-coverage (9.2.20): Extracting archive
  - Installing phar-io/version (3.2.1): Extracting archive
  - Installing phar-io/manifest (2.0.3): Extracting archive
  - Installing myclabs/deep-copy (1.11.0): Extracting archive
  - Installing doctrine/instantiator (1.4.1): Extracting archive
  - Installing phpunit/phpunit (9.5.27): Extracting archive
11 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
27 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
infection/extension-installer: No extensions found
No security vulnerability advisories found

Code:
bash-3.2$ cd myproject/
bash-3.2$ php spark env

CodeIgniter v4.2.10 Command Line Tool - Server Time: 2022-12-13 17:54:35 UTC-06:00

Your environment is currently set as production.

bash-3.2$



RE: Composer Upgrade - 68thorby68 - 12-14-2022

Many thanks.
I'm just suprised the composer install is installing 4.05 instead of 4.2x . It seems the installer is lagging a long way behind?
Again Thanks


RE: Composer Upgrade - kenjis - 12-14-2022

No, it is not the installer, but probably your PHP version is behind.
v4.0.5 is the last version of v4.0.x.

v4.1 requires PHP 7.3 or later.
https://codeigniter4.github.io/CodeIgniter4/changelogs/v4.1.0.html

v4.2 requires PHP 7.4 or later.
https://codeigniter4.github.io/CodeIgniter4/changelogs/v4.2.0.html


RE: Composer Upgrade - 68thorby68 - 12-14-2022

Many thanks for your help.
My server is using php 7.4, however, I am using a shared hosting solution. I have double checked my php server extensions (I put together the original shared hosting document for this forum with jreklund) and all seems intact.
That said would there be any new PHP extensions that need to be enabled/disabled. From memory the shared hosting document was created a number of PHP versions ago!
Unfortunately, I do not posess the knowlede to know what PHP extensuios should be enabled/disabled. However, I can share my current PHP configuration with someone that does know, and then provide the necessary feedback to update shared hosting document on this forum.
Again you help is very much appreciated.

Update...

I have installed another instance of ci4 using composer then run
Code:
composer update

The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 
I'm seriously confused :-)


composer returns-----

Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
21 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Found 5 security vulnerability advisories affecting 1 package.
Run composer audit for a full list of advisories.

C:\Users\Martin_T\Documents\htdocs\jobtracker-stage>composer audit
Found 5 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package          | codeigniter4/framework                                                          |
| CVE              | CVE-2022-39284                                                                  |
| Title            | CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4    |
| URL              | https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637- |
|                  | 7vvp                                                                            |
| Affected versions | <4.2.7                                                                          |
| Reported at      | 2022-10-06T09:39:42+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package          | codeigniter4/framework                                                          |
| CVE              | CVE-2022-24711                                                                  |
| Title            | CVE-2022-24711: Remote CLI Command Execution Vulnerability in CodeIgniter4      |
| URL              | https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75- |
|                  | qrj7                                                                            |
| Affected versions | <4.1.9                                                                          |
| Reported at      | 2022-02-26T00:51:52+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package          | codeigniter4/framework                                                          |
| CVE              | CVE-2022-24712                                                                  |
| Title            | CVE-2022-24712: Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerabilit |
|                  | y in CodeIgniter4                                                                |
| URL              | https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm- |
|                  | h554                                                                            |
| Affected versions | <4.1.9                                                                          |
| Reported at      | 2022-02-26T00:51:52+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package          | codeigniter4/framework                                                          |
| CVE              | CVE-2022-21715                                                                  |
| Title            | CVE-2022-21715: XSS Vulnerability in API\ResponseTrait in CodeIgniter4          |
| URL              | https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5- |
|                  | 6g62                                                                            |
| Affected versions | <4.1.8                                                                          |
| Reported at      | 2022-01-24T17:41:56+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package          | codeigniter4/framework                                                          |
| CVE              | CVE-2022-21647                                                                  |
| Title            | CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4                |
| URL              | https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64- |
|                  | mc9x                                                                            |
| Affected versions | <4.1.6                                                                          |
| Reported at      | 2022-01-04T00:59:31+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+


RE: Composer Upgrade - kenjis - 12-14-2022

I think you are using PHP 7.2 on CLI.
Please check the version:
Code:
$ php -v



RE: Composer Upgrade - kenjis - 12-14-2022

(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 
I'm seriously confused :-)

It is no wonder.
If you are using v4.0.5, these vulnerabilities are reported.
Because v4.0.5 has all the vulnerabilities.

You need to update to v4.2.7 or later.


RE: Composer Upgrade - Mni.day - 12-15-2022

I faced the same problem yesterday. You need to specify the exact path to the php interpreter of the desired version on shell
something like this
Code:
/opt/alt/php74/usr/bin/php /usr/local/bin/composer update



RE: Composer Upgrade - 68thorby68 - 01-15-2023

(12-14-2022, 04:28 PM)kenjis Wrote:
(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 
I'm seriously confused :-)

It is no wonder.
If you are using v4.0.5, these vulnerabilities are reported.
Because v4.0.5 has all the vulnerabilities.

You need to update to v4.2.7 or later.

(01-15-2023, 06:41 AM)68thorby68 Wrote:
(12-14-2022, 04:28 PM)kenjis Wrote:
(12-14-2022, 10:18 AM)68thorby68 Wrote: The update command is reporting ecurity vulnerability advisories (see below) but when I investigate this on github, I see (for example) you patched a fix for CVE-2022-24711 
I'm seriously confused :-)

It is no wonder.
If you are using v4.0.5, these vulnerabilities are reported.
Because v4.0.5 has all the vulnerabilities.

You need to update to v4.2.7 or later.

Thank you for your continued support, I am totally confused!!

The suggestion above "You need to update to v4.2.7 or later." is exactly what i'm try to achieve :-)

My php version: PHP Version 7.4.33
My Composer version: Composer version 2.4.4 2022-10-27 14:39:29

The CI4 manual says run composer update, when I do, the folloing happens (see below) but the version does NOT change.

I am seriously considering a manual upgrade or completely new install (then replacing my Controllers, Models, Views, etc, and updating the relevant config files).  Please, any advice is really appreciated.

my_ci4_install_folder>composer update
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 31 removals
  - Removing codeigniter/coding-standard (v1.4.0)
  - Removing composer/pcre (3.1.0)
  - Removing composer/semver (3.3.2)
  - Removing composer/xdebug-handler (3.0.3)
  - Removing doctrine/annotations (1.14.2)
  - Removing doctrine/deprecations (v1.0.0)
  - Removing doctrine/lexer (2.1.0)
  - Removing friendsofphp/php-cs-fixer (v3.9.5)
  - Removing nexusphp/cs-config (v3.5.0)
  - Removing php-cs-fixer/diff (v2.0.2)
  - Removing psr/cache (1.0.1)
  - Removing psr/container (1.1.2)
  - Removing psr/event-dispatcher (1.0.0)
  - Removing symfony/console (v5.4.17)
  - Removing symfony/deprecation-contracts (v2.5.2)
  - Removing symfony/event-dispatcher (v5.4.17)
  - Removing symfony/event-dispatcher-contracts (v2.5.2)
  - Removing symfony/filesystem (v5.4.13)
  - Removing symfony/finder (v5.4.17)
  - Removing symfony/options-resolver (v5.4.11)
  - Removing symfony/polyfill-ctype (v1.27.0)
  - Removing symfony/polyfill-intl-grapheme (v1.27.0)
  - Removing symfony/polyfill-intl-normalizer (v1.27.0)
  - Removing symfony/polyfill-mbstring (v1.27.0)
  - Removing symfony/polyfill-php73 (v1.27.0)
  - Removing symfony/polyfill-php80 (v1.27.0)
  - Removing symfony/polyfill-php81 (v1.27.0)
  - Removing symfony/process (v5.4.11)
  - Removing symfony/service-contracts (v2.5.2)
  - Removing symfony/stopwatch (v5.4.13)
  - Removing symfony/string (v5.4.17)
  - Locking codeigniter4/codeigniter4-standard (v1.1.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 31 removals
  - Removing symfony/string (v5.4.17)
  - Removing symfony/stopwatch (v5.4.13)
  - Removing symfony/service-contracts (v2.5.2)
  - Removing symfony/process (v5.4.11)
  - Removing symfony/polyfill-php81 (v1.27.0)
  - Removing symfony/polyfill-php80 (v1.27.0)
  - Removing symfony/polyfill-php73 (v1.27.0)
  - Removing symfony/polyfill-mbstring (v1.27.0)
  - Removing symfony/polyfill-intl-normalizer (v1.27.0)
  - Removing symfony/polyfill-intl-grapheme (v1.27.0)
  - Removing symfony/polyfill-ctype (v1.27.0)
  - Removing symfony/options-resolver (v5.4.11)
  - Removing symfony/finder (v5.4.17)
  - Removing symfony/filesystem (v5.4.13)
  - Removing symfony/event-dispatcher-contracts (v2.5.2)
  - Removing symfony/event-dispatcher (v5.4.17)
  - Removing symfony/deprecation-contracts (v2.5.2)
  - Removing symfony/console (v5.4.17)
  - Removing psr/event-dispatcher (1.0.0)
  - Removing psr/container (1.1.2)
  - Removing psr/cache (1.0.1)
  - Removing php-cs-fixer/diff (v2.0.2)
  - Removing nexusphp/cs-config (v3.5.0)
  - Removing friendsofphp/php-cs-fixer (v3.9.5)
  - Removing doctrine/lexer (2.1.0)
  - Removing doctrine/deprecations (v1.0.0)
  - Removing doctrine/annotations (1.14.2)
  - Removing composer/xdebug-handler (3.0.3)
  - Removing composer/semver (3.3.2)
  - Removing composer/pcre (3.1.0)
  - Removing codeigniter/coding-standard (v1.4.0)
  - Installing codeigniter4/codeigniter4-standard (v1.1.1): Extracting archive
Package codeigniter4/codeigniter4-standard is abandoned, you should avoid using it. Use codeigniter/coding-standard instead.
Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
20 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Generating autoload files
Generated autoload files
> CodeIgniter\ComposerScripts::postUpdate
> bash admin/setup.sh
'bash' is not recognized as an internal or external command,
operable program or batch file.
Script bash admin/setup.sh handling the post-update-cmd event returned with error code 1


RE: Composer Upgrade - kenjis - 01-15-2023

@68thorby68 It seems better you learn how Composer works.
The composer.json in your project root folder is the config file for the project.
That is your project config file. So it is better you know what you configure.

It seems you have wrong composer.json for your project.

I recommend you fix composer.json to install "codeigniter4/framework": "4.2.12".
The last version in v4.2.x. v4.3 has many breaking changes. So it is better first to upgrade to v4.2.

Here is the latest composer.json in appstarter:
https://github.com/codeigniter4/appstarter/blob/master/composer.json

Or it might be better you install brand-new v4.2.12 manually and move your app files to it.

And don't forget to check for breaking changes related to your app code:
https://codeigniter4.github.io/CodeIgniter4/installation/upgrading.html
https://codeigniter4.github.io/CodeIgniter4/changelogs/index.html