Magento <2.4.6 (2.4.4 & 2.4.5) forces us to use an unsupported version of Symfony.

[youwe-erik]

Summary:

Magento 2.4.4 and 2.4.5 require:
"symfony/console": "~4.4.0",
"symfony/event-dispatcher": "~4.4.0",
"symfony/process": "~4.4.0",

These versions of Symfony (v4) have not and will not receive security updates for about a year now (source: https://symfony.com/releases - "End of support: Nov 2023").

A critical issue has been reported for the "symfony/process" package ( CVE-2024-51736 ) and we currently cannot get around this except by using ugly workarounds.

Preconditions (*)

Magento 2.4.4-p* and Magento 2.4.5-p*

Steps to reproduce (*)

Install any Magento 2.4.4 or 2.4.5 project and try to update the Symfony packages to a supported version.

Expected result (*)

Magento does not require unsupported packages.

Actual result (*)

Magento is forcing us to install unsupported v4 versions of Symfony.

[m2-assistant]

Hi @youwe-erik. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[youwe-erik]

FYI: One of the ugly workarounds basically is: composer require symfony/process:"5.4.46 as 4.4.44"
Of course it's hard to say what effect this will have exactly.

[hostep]

Note that it's not as critical as it sounds, since the vulnerability only exists on Windows based systems. Magento is officially not supported to run on Windows...

But would still be nice indeed to be able to update to supported versions of symfony package(s).

On Magento 2.4.6-pX the issue also exists, because in 2.4.6-p2 the constraint "symfony/process": "<=v5.4.23" got added for some reason, which also prevents us to go to the latest version.

[leonhelmus]

@hostep you mean in the composer root right? We resolved that by increasing the package from "symfony/process": "<=v5.4.23" to "symfony/process": "<=v5.4.46" or "symfony/process": "<v5.5"

[hostep]

Yeah I know, but I don't want to do that before I know the reason why Adobe decided to add that constraint in the first place.

[leonhelmus]

@hostep You are right, but this was to atleast tell others who have the issue how to resolve it for now. It seems to be added specific for magento/magento2-functional-testing-framework as well in 4.4.0 / .

Im also wondering since i got a dependency conflict if i can safely upgrade magento to the latest version:
magento/magento2-functional-testing-framework

to resolve the issues.

[hostep]

Here's a reply from Adobe (@chernenm) on Slack:

Hi Pieter, thank you for reaching out, I believe this constraint "symfony/process": "<=v5.4.23" was added by mistake, I will work with the team and we will deliver updated constraint to versions 2.4.4, 2.4.5 and 2.4.6 and make it open “~5.4.46” instead.
We will plan this to be released in scope of February patches, since current vulnerability is not critical, as you mentioned

So for people on 2.4.6, I think we can then remove that "symfony/process": "<=v5.4.23" constraint in our root composer file. And for the people on Magento 2.4.4 & 2.4.5, we'll have to wait until February 2025 when Magento upgrades the requirement for symfony/process from 4.4.x to 5.4.x. Let's hope this upgrade is more or less backwards compatible.

---

If you add the following to the config section in your composer.json file, you can mark the issue to be ignored (docs):

        "audit": {
            "ignore": {
                "CVE-2024-51736": "Only applies to Windows"
            },
            "abandoned": "report"
        }

This will still output the issue when running composer audit, but will result in exit code 0 instead of a higher number (the normal exit code is the amount of issues it finds, FYI)

[engcom-Bravo]

Hi @youwe-erik,

Thanks for your reporting and collaboration.

The Magento core engineering team is working on the issue and may do further implementation to cover few more scenarios as needed. We will reach out to you if we need more information.

Hence moving this issue to ON HOLD

Thank you once again!