Laravel 8.x to 9.x upgrade requirements issue - laravel-9

How can I fix?
Your requirements could not be resolved to an installable set of packages.
illuminate/database[v6.0.0, ..., v6.19.1] require php ^7.2 -> your php version (8.1.2) does not satisfy that requirement.
illuminate/database[v7.0.0, ..., v7.28.4] require php ^7.2.5 -> your php version (8.1.2) does not satisfy that requirement.
illuminate/database[v8.0.0, ..., v8.11.2] require php ^7.3 -> your php version (8.1.2) does not satisfy that requirement.
Root composer.json requires spatie/laravel-permission ^4.2 -> satisfiable by spatie/laravel-permission[4.2.0, ..., v4.x-dev].
Conclusion: don't install laravel/framework v9.0.0-beta.2 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.0-beta.3 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.0-beta.4 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.0-beta.5 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.0 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.1 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.2 (conflict analysis result)
Conclusion: don't install laravel/framework v9.1.0 (conflict analysis result)
Conclusion: don't install laravel/framework v9.2.0 (conflict analysis result)
Conclusion: don't install laravel/framework v9.3.0 (conflict analysis result)
Conclusion: don't install laravel/framework v9.3.1 (conflict analysis result)
Conclusion: don't install laravel/framework v9.0.0-beta.1 (conflict analysis result)
spatie/laravel-permission[4.2.0, ..., v4.x-dev] require illuminate/database ^6.0|^7.0|^8.0 -> satisfiable by
illuminate/database[v6.0.0, ..., 6.x-dev, v7. 0.0, ..., 7.x-dev,
v8.0.0, ..., 8.x-dev].
Only one of these can be installed: illuminate/database[v6.0.0, ..., 6.x-dev, v7.0.0, ..., 7.x-dev, v8.0.0, ..., 8.x-dev], laravel/framework[v9.0.0-beta.1 , ..., 9.x-dev]. laravel/framework
replaces illuminate/database and thus cannot coexist with it.
Root composer.json requires laravel/framework ^9.0 -> satisfiable by laravel/framework[v9.0.0-beta.1, ..., 9.x-dev].

Take backup of your old composer.json, just to refer for all the other packages that you are going to need.
Remove vendor folder and copy composer.json from below.
This is my fresh laravel 9 composer.json file
{
"name": "laravel/laravel",
"type": "project",
"description": "The Laravel Framework.",
"keywords": ["framework", "laravel"],
"license": "MIT",
"require": {
"php": "^8.0.2",
"guzzlehttp/guzzle": "^7.2",
"laravel/framework": "^9.2",
"laravel/sanctum": "^2.14.1",
"laravel/tinker": "^2.7",
"spatie/laravel-permission": "^5.5"
},
"require-dev": {
"fakerphp/faker": "^1.9.1",
"laravel/sail": "^1.0.1",
"mockery/mockery": "^1.4.4",
"nunomaduro/collision": "^6.1",
"phpunit/phpunit": "^9.5.10",
"spatie/laravel-ignition": "^1.0"
},
"autoload": {
"psr-4": {
"App\\": "app/",
"Database\\Factories\\": "database/factories/",
"Database\\Seeders\\": "database/seeders/"
}
},
"autoload-dev": {
"psr-4": {
"Tests\\": "tests/"
}
},
"scripts": {
"post-autoload-dump": [
"Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
"#php artisan package:discover --ansi"
],
"post-update-cmd": [
"#php artisan vendor:publish --tag=laravel-assets --ansi --force"
],
"post-root-package-install": [
"#php -r \"file_exists('.env') || copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
"#php artisan key:generate --ansi"
]
},
"extra": {
"laravel": {
"dont-discover": []
}
},
"config": {
"optimize-autoloader": true,
"preferred-install": "dist",
"sort-packages": true
},
"minimum-stability": "dev",
"prefer-stable": true
}
Then run composer update
After that if you want your old packages back then install one by one like this
composer require spatie/laravel-permission

Related

Facing vulnerability security issue for dot-prop when updating to latest npm package

I am trying to update npm version to latest 6.14.7 in package.json.
After updating npm to the latest, I ran npm audit and got two vulnerabilities for the dot-prop package dependency which is showing under npm path.
So, I tried updating the latest dot-prop ^5.1.1. But still getting the same error.
Please help me with this how can I manually review and fix.
Audit Report:
[root#redhatdev client]# npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Prototype Pollution
Package dot-prop
Patched in >=5.1.1
Dependency of npm [dev]
Path npm libnpx update-notofoer configstore dot-prop
More info https://npmjs.com/advisories/1213
High Prototype Pollution
Package dot-prop
Patched in >=5.1.1
Dependency of npm [dev]
Path npm update-notofoer configstore dot-prop
More info https://npmjs.com/advisories/1213
found 2 high severity vulnerabilities in 1674 scanned packages
2 vulnerabilities require manual review. See the full report for details.
[root#redhatdev client]#
Full Audit report: npm audit --json
{
"actions": [
{
"action": "review",
"module": "dot-prop",
"resolves": [
{
"id": 1213,
"path": "npm>libnpx>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
},
{
"id": 1213,
"path": "npm>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
}
]
}
],
"advisories": {
"1213": {
"findings": [
{
"version": "4.2.0",
"paths": [
"npm>libnpx>update-notifier>configstore>dot-prop",
"npm>update-notifier>configstore>dot-prop"
]
}
],
"id": 1213,
"created": "2019-10-14T17:43:55.291Z",
"updated": "2020-07-29T20:58:02.206Z",
"deleted": null,
"title": "Prototype Pollution",
"found_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"reported_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"module_name": "dot-prop",
"cves": [
"CVE-2020-8116"
],
"vulnerable_versions": "<5.1.1",
"patched_versions": ">=5.1.1",
"overview": "Versions of `dot-prop` before 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n",
"recommendation": "Upgrade to version 5.1.1 or later.",
"references": "- [GitHub advisory](https://github.com/advisories/GHSA-ff7x-qrg7-qggm)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-8116)",
"access": "public",
"severity": "high",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1213"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0
},
"dependencies": 61,
"devDependencies": 1612,
"optionalDependencies": 31,
"totalDependencies": 1674
},
"runId": "9b99170c-35c0-44b1-a0e6-8b714069a255"
}
Edit 2:
Now I found the Problem.
You updated npm locally. (it's in your package.json)
So please run:
npm uninstall npm --save (uninstall locally)
then:
npm i npm -g (that updates npm globally and not locally)
That fixes the problem.
Rest of this answer is obsolete and doesn't add to the solution.
EDIT:
It seems to be a npm problem to me.
Here is what I did:
I had npm version 6.14.6.
I installed dot-prop.
No Problem.
I updated my npm to6.14.7.
2 vulnerabilities.
I ran npm audit fix which results in fixed 0 of 2 vulnerabilities.
I ran npm -v which results in 6.14.6.
So I think it's a problem with npm 6.14.7 (and/or a combination with this special package)
Original Message:
did you also try npm audit fix ?
Also it says https://go.npm.me/audit-guide for additional guidance
Did you try that as well?

Updating from Laravel 5.8 to 6.0 fails due to dependencies

I'm trying to update from 5.8 to any version 6 Laravel. I've updated the PHP code, but the composer update is problematic for me. I've tried composer update, composer update --with-dependencies, composer install.
Composer isn't something I work with often. Any help is very appreciate! How do I decipher the composer error message to an actionable task? Is there a command that will install the dependencies for Laravel 6?
The error message after composer update:
- Conclusion: don't install laravel/framework v6.0.0
- arcanedev/support 4.5.0 requires illuminate/support ~5.8.0 -> satisfiable by laravel/framework[v5.8.38], illuminate/support[5.8.x-dev, v5.8.0, v5.8.11, v5.8.12, v5.8.14, v5.8.15, v5.8.17, v5.8.18, v5.8.19, v5.8.2, v5.8.20, v5.8.22, v5.8.24, v5.8.27, v5.8.28, v5.8.29, v5.8.3, v5.8.30, v5.8.31, v5.8.32, v5.8.33, v5.8.34, v5.8.35, v5.8.36, v5.8.4, v5.8.8, v5.8.9].
- arcanedev/support 4.5.0 requires illuminate/support ~5.8.0 -> satisfiable by laravel/framework[v5.8.38], illuminate/support[5.8.x-dev, v5.8.0, v5.8.11, v5.8.12, v5.8.14, v5.8.15, v5.8.17, v5.8.18, v5.8.19, v5.8.2, v5.8.20, v5.8.22, v5.8.24, v5.8.27, v5.8.28, v5.8.29, v5.8.3, v5.8.30, v5.8.31, v5.8.32, v5.8.33, v5.8.34, v5.8.35, v5.8.36, v5.8.4, v5.8.8, v5.8.9].
- Can only install one of: laravel/framework[6.x-dev, v5.8.38].
- don't install illuminate/support 5.8.x-dev|don't install laravel/framework 6.x-dev
- don't install illuminate/support v5.8.9|don't install laravel/framework 6.x-dev
- Installation request for laravel/framework ^6.0 -> satisfiable by laravel/framework[6.x-dev, v6.0.0, v6.0.1, v6.0.2, v6.0.3, v6.0.4, v6.1.0, v6.10.0, v6.10.1, v6.11.0, v6.12.0, v6.13.0, v6.13.1, v6.14.0, v6.15.0, v6.15.1, v6.16.0, v6.17.0, v6.17.1, v6.18.0, v6.18.1, v6.18.10, v6.18.11, v6.18.12, v6.18.13, v6.18.14, v6.18.15, v6.18.16, v6.18.17, v6.18.18, v6.18.19, v6.18.2, v6.18.20, v6.18.21, v6.18.22, v6.18.23, v6.18.24, v6.18.25, v6.18.26, v6.18.27, v6.18.28, v6.18.29, v6.18.3, v6.18.30, v6.18.31, v6.18.4, v6.18.5, v6.18.6, v6.18.7, v6.18.8, v6.18.9, v6.2.0, v6.3.0, v6.4.0, v6.4.1, v6.5.0, v6.5.1, v6.5.2, v6.6.0, v6.6.1, v6.6.2, v6.7.0, v6.8.0, v6.9.0].
- Installation request for arcanedev/support ~4.5 -> satisfiable by arcanedev/support[4.5.0].
The composer.json
{
"name": "laravel/laravel",
"type": "project",
"description": "The Laravel Framework.",
"keywords": [
"framework",
"laravel"
],
"license": "MIT",
"require": {
"php": "^7.2",
"laravel/framework": "^6.0",
"fideloper/proxy": "^4.0",
"guzzlehttp/guzzle": "^6.3",
"illuminate/support": "~5.8.0|^6.0",
"intervention/image": "^2.4",
"laravel/tinker": "^1.0",
"spatie/laravel-permission": "^3.0"
},
"require-dev": {
"barryvdh/laravel-ide-helper": "^2.6",
"beyondcode/laravel-dump-server": "^1.0",
"filp/whoops": "^2.0",
"fzaninotto/faker": "^1.4",
"mockery/mockery": "^1.0",
"nunomaduro/collision": "^2.0",
"phpunit/phpunit": "^7.0",
"barryvdh/laravel-debugbar": "^3.2",
"arcanedev/log-viewer": "^4.7",
"arcanedev/support": "~4.5"
},
"config": {
"optimize-autoloader": true,
"preferred-install": "dist",
"sort-packages": true
},
"extra": {
"laravel": {
"dont-discover": []
}
},
"autoload": {
"psr-4": {
"App\\": "app/"
},
"classmap": [
"database/seeds",
"database/factories"
]
},
"autoload-dev": {
"psr-4": {
"Tests\\": "tests/"
}
},
"minimum-stability": "dev",
"prefer-stable": true,
"scripts": {
"post-autoload-dump": [
"Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
"#php artisan package:discover --ansi"
],
"post-root-package-install": [
"#php -r \"file_exists('.env') || copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
"#php artisan key:generate --ansi"
]
}
}
Just have a look at the error message you've shared: your configuration requires arcanedev/support with the version constraint ~4.5. By peeking into the version list of that package, you can see that there is only one version that can be used, which is 4.5.0, and this package requires illuminate/support with the version constraint ~5.8.0. Obviously, this excludes any later versions of Laravel.
By also updating arcanedev/support to some later version (^5.0 should be fine), you are able to update Laravel. Packagist can help you to inspect the constraints for different versions of that package.

How to install Aurelia UX 0.4.0 with Aurelia CLI?

I’ve been using aurelia-ux 0.3.0 for some time now and love the concept. Since the move to aurelia-ux 0.4.0 and the shift to monorepo I’m a little lost on how to install and use the library.
Could anyone provide a little exemple on how to install aurelia-ux 0.4.0 (core + 1-2 components) with aurelia-cli ?
Notice: the current npm documentation of #aurelia-ux/core package points to the showcase application - however this showcase still runs 0.3.0.
After some tests and research I've been able to install auralia-ux 0.4.0+
First you need to install the core and components
npm install #aurelia-ux/core
Then you can either install each component separately or together
npm install #aurelia-ux/button
npm install #aurelia-ux/input
npm install #aurelia-ux/...
# or
npm install #aurelia-ux/components
Then in the aurelia_project/aurelia.json you need to add the dependencies as such:
{
"name": "#aurelia-ux/core",
"path": "../node_modules/#aurelia-ux/core/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/button",
"path": "../node_modules/#aurelia-ux/button/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/input",
"path": "../node_modules/#aurelia-ux/input/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
or if you prefer the components variant (warning: I haven't tested this variant):
{
"name": "#aurelia-ux/core",
"path": "../node_modules/#aurelia-ux/core/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/components",
"path": "../node_modules/#aurelia-ux/components/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
}
Finaly you must register the plugins in your main.js
aurelia.use
.plugin('#aurelia-ux/core')
.plugin('#aurelia-ux/button')
.plugin('#aurelia-ux/input')
or with the components variant (not tested)
aurelia.use
.plugin('#aurelia-ux/core')
.plugin('#aurelia-ux/components')

package.json: Just download dependency but do not install it

I'm about to write a yeoman generator where the whole template is hosted on a git repository. So the package.json of my yeoman generator looks like
{
"name": "generator-foo",
"version": "0.1.0",
"description": "",
"files": [
"generators"
],
"keywords": [
"yeoman-generator"
],
"dependencies": {
"foo-template": "git://somewhere-in-the-world/foo-template.git#0.1.0",
"chalk": "^1.1.3",
"yeoman-generator": "^1.1.1",
"yosay": "^2.0.0"
}
}
Is there any way to prevent npm install from installing the foo-template package, i.e. running any postinstall script just for this package? Instead, it should be just downloaded to node_modules.
As describe here, postinstall scripts can be disabled globally for npm using --ignore-scripts flag.
As a complete solution, I would move your explicit dependency to foo-template to your local postinstall section with ignore scripts enabled:
{
"name": "generator-foo",
...
"postinstall": "npm install --ignore-scripts git://somewhere-in-the-world/foo-template.git#0.1.0",
"peerDependencies": {
"foo-template": "git://somewhere-in-the-world/foo-template.git#0.1.0"
}
}
Note that to make sure the dependency is explicitly described, we should mark it as a peerDependency (e.g. prevents package removal on prune).

Browserify-shim not reading a transform from the package.json

I am trying to use browserify to build a new project that my team is working on, but it does not recognize the transform from the package.json. It will build on 2 machines, but on 2 others it will not build.
Here is the relevant piece of my package.json.
"dependencies": {},
"devDependencies": {
....
},
"browserify": {
"transform": [
"browserify-shim"
]
},
"browser": {
"angular": "./src/main/webapp/js/lib/angular.js",
"angular-route": "./src/main/webapp/js/lib/angular-route.js",
"underscore": "./src/main/webapp/js/lib/lodash.compat.js",
"restangular": "./src/main/webapp/js/lib/restangular.js"
},
"browserify-shim": {
"angular": {},
"angular-route": {
"depends": [
"angular"
]
},
"underscore": {
"exports": "_"
},
"restangular": {
"depends": [
"underscore",
"angular"
]
}
}
I am running browserify from the command line. I have 4 computers on my team and it is working on a Mac and a Windows machine, but I have 2 Windows machine that it does not work on. We have all pulled from the same repo, all of our browserify and npm versions are the same. What should I do next?
The Windows machines were running the command from git bash. The command would not work with on git bash. After we switched to the command prompt, then all of the commands run fine.