Page MenuHomePhabricator
Create Task
Maniphest T312059

Wrong version of guzzle shipped with 1.37.3 (breaks update.php)
Closed, ResolvedPublicBUG REPORT
Actions

Description

per T311384, guzzle was updated to 7.4.5. However 1.37.3 is shipping with 7.4.1.

This has two problems

  • We updated for a reason (There are mild security issues)
  • composer.json says 7.4.5, but vendor/composer.lock says 7.4.1 (And the actual guzzle files are 7.4.1). This causes update.php to yell at users to run composer update, which is a bad user experience.

Originally reported at https://www.mediawiki.org/wiki/Topic:Wyl1cfgeh38lzb8o

I verified this on the 1.37.3 tarball.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Prep 1.37.4mediawiki/coreREL1_37+13 -2
Update guzzlehttp/guzzle to 7.4.5mediawiki/vendorREL1_37+117 -61
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Jul 5 2022, 3:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 5 2022, 3:12 AM
Zabe subscribed.Jul 5 2022, 7:38 AM
gerritbot added a comment.Jul 5 2022, 7:43 AM

Change 811204 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/vendor@REL1_37] Update guzzlehttp/guzzle to 7.4.5

https://gerrit.wikimedia.org/r/811204

gerritbot added a project: Patch-For-Review.Jul 5 2022, 7:43 AM
gerritbot added a comment.Jul 5 2022, 8:37 AM

Change 811204 merged by Zabe:

[mediawiki/vendor@REL1_37] Update guzzlehttp/guzzle to 7.4.5

https://gerrit.wikimedia.org/r/811204

Maintenance_bot removed a project: Patch-For-Review.Jul 5 2022, 9:30 AM
Aklapper added projects: MediaWiki-Releasing, MediaWiki-Vendor.Jul 5 2022, 8:18 PM
Legoktm subscribed.Jul 5 2022, 9:19 PM

Ugh, we should probably add a check for this in make-release. I'll work on that later...

@Reedy could we get a maintenance release for this? Having update.php tell people to run composer update when they're using the tarball or MW vendor is bad and just going to cause more issues down the line...

Reedy added a comment.Jul 5 2022, 9:21 PM
In T312059#8053776, @Legoktm wrote:

Ugh, we should probably add a check for this in make-release. I'll work on that later...

T113360: Ensure with test that composer.json matches between mediawiki/vendor and mediawiki/core for release branches (where we don't test with vendor) and T295175: Have at least one job running REL1_XX with its appropriate vendor repo

gerritbot added a comment.Jul 8 2022, 4:49 PM

Change 812351 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_37] Prep 1.37.4

https://gerrit.wikimedia.org/r/812351

gerritbot added a project: Patch-For-Review.Jul 8 2022, 4:49 PM
Reedy added a comment.Jul 8 2022, 4:59 PM
In T312059#8053776, @Legoktm wrote:

@Reedy could we get a maintenance release for this? Having update.php tell people to run composer update when they're using the tarball or MW vendor is bad and just going to cause more issues down the line...

In progress; T312661: Write and send release announcement for MediaWiki 1.37.4

gerritbot added a comment.Jul 8 2022, 5:13 PM

Change 812351 merged by jenkins-bot:

[mediawiki/core@REL1_37] Prep 1.37.4

https://gerrit.wikimedia.org/r/812351

Maintenance_bot removed a project: Patch-For-Review.Jul 8 2022, 5:30 PM
Reedy closed this task as Resolved.Jul 8 2022, 5:32 PM
Reedy claimed this task.
Reedy reassigned this task from Reedy to Zabe.
ReleaseTaggerBot added a project: MW-1.37-notes.Jul 12 2022, 6:02 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits