phpPackages.composer: 2.6.6 -> 2.7.1

Diff: https://github.com/composer/composer/compare/2.6.6..2.7.1 Changelog: https://github.com/composer/composer/releases/tag/2.7.1 Fix CVE: CVE-2024-24821
2024-11-17 06:06:13 +03:00 · 2024-02-13 15:33:27 +01:00 · 2024-02-13 15:33:27 +01:00 · cf9e77ef8e
commit cf9e77ef8e
parent 39502e7aa7
3 changed files with 18 additions and 43 deletions
--- a/pkgs/build-support/php/hooks/composer-install-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-install-hook.sh
@ -83,28 +83,7 @@ composerInstallBuildHook() {

    # Since this file cannot be generated in the composer-repository-hook.sh
    # because the file contains hardcoded nix store paths, we generate it here.
-    composer-local-repo-plugin --no-ansi build-local-repo -m "${composerRepository}" .
-
-    # Remove all the repositories of type "composer" and "vcs"
-    # from the composer.json file.
-    jq -r -c 'del(try .repositories[] | select(.type == "composer" or .type == "vcs"))' composer.json | sponge composer.json
-
-    # Configure composer to disable packagist and avoid using the network.
-    composer config repo.packagist false
-    # Configure composer to use the local repository.
-    composer config repo.composer composer file://"$PWD"/packages.json
-
-    # Since the composer.json file has been modified in the previous step, the
-    # composer.lock file needs to be updated.
-    composer \
-      --lock \
-      --no-ansi \
-      --no-install \
-      --no-interaction \
-      ${composerNoDev:+--no-dev} \
-      ${composerNoPlugins:+--no-plugins} \
-      ${composerNoScripts:+--no-scripts} \
-      update
+    composer-local-repo-plugin --no-ansi build-local-repo-lock -m "${composerRepository}" .

    echo "Finished composerInstallBuildHook"
 }
@ -151,9 +130,6 @@ composerInstallInstallHook() {
      ${composerNoScripts:+--no-scripts} \
      install

-    # Remove packages.json, we don't need it in the store.
-    rm packages.json
-
    # Copy the relevant files only in the store.
    mkdir -p "$out"/share/php/"${pname}"
    cp -r . "$out"/share/php/"${pname}"/
--- a/pkgs/build-support/php/hooks/composer-repository-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-repository-hook.sh
@ -63,7 +63,7 @@ composerRepositoryBuildHook() {
    # Build the local composer repository
    # The command 'build-local-repo' is provided by the Composer plugin
    # nix-community/composer-local-repo-plugin.
-    composer-local-repo-plugin --no-ansi build-local-repo ${composerNoDev:+--no-dev} -r repository
+    composer-local-repo-plugin --no-ansi build-local-repo-lock ${composerNoDev:+--no-dev} -r repository

    echo "Finished composerRepositoryBuildHook"
 }
--- a/pkgs/development/php-packages/composer/default.nix
+++ b/pkgs/development/php-packages/composer/default.nix
@ -1,11 +1,22 @@
-{ lib, callPackage, fetchFromGitHub, fetchpatch, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
+{ lib
+, callPackage
+, fetchFromGitHub
+, php
+, unzip
+, _7zz
+, xz
+, git
+, curl
+, cacert
+, makeBinaryWrapper
+}:

 php.buildComposerProject (finalAttrs: {
  # Hash used by ../../../build-support/php/pkgs/composer-phar.nix to
  # use together with the version from this package to keep the
  # bootstrap phar file up-to-date together with the end user composer
  # package.
-  passthru.pharHash = "sha256-cmACAcc8fEshjxwFEbNthTeWPjaq+iRHV/UjCfiFsxQ=";
+  passthru.pharHash = "sha256-H/0L4/J+I3sa5H+ejyn5asf1CgvZ7vT4jNvpTdBL//A=";

  composer = callPackage ../../../build-support/php/pkgs/composer-phar.nix {
    inherit (finalAttrs) version;
@ -13,27 +24,15 @@ php.buildComposerProject (finalAttrs: {
  };

  pname = "composer";
-  version = "2.6.6";
+  version = "2.7.1";

  src = fetchFromGitHub {
    owner = "composer";
    repo = "composer";
    rev = finalAttrs.version;
-    hash = "sha256-KsTZi7dSlQcAxoen9rpofbptVdLYhK+bZeDSXQY7o5M=";
+    hash = "sha256-OThWqY3m/pIas4qvR/kiYgc/2QrAbnsYEOxpHxKhDfM=";
  };

-  patches = [
-    (fetchpatch {
-      name = "CVE-2024-24821.patch";
-      url = "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7.patch";
-      hash = "sha256-Q7gkPLf59+p++DpfJZeOrAOiWePuGkdGYRaS/rK+Nv4=";
-      excludes = [
-        # Skipping test files, they are not included in the source tarball
-        "tests/*"
-      ];
-    })
-  ];
-
  nativeBuildInputs = [ makeBinaryWrapper ];

  postInstall = ''
@ -41,7 +40,7 @@ php.buildComposerProject (finalAttrs: {
      --prefix PATH : ${lib.makeBinPath [ _7zz cacert curl git unzip xz ]}
  '';

-  vendorHash = "sha256-50M1yeAKl9KRsjs34cdb5ZTBFgbukgg0cMtHTYGJ/EM=";
+  vendorHash = "sha256-NJa6nu60HQeBJr7dd79ATptjcekgY35Jq9V40SrN9Ds";

  meta = {
    changelog = "https://github.com/composer/composer/releases/tag/${finalAttrs.version}";