jasig/phpcas package should be abandoned in favor of apereo/phpcas
jboulen opened this issue · comments
When a project uses the jasig/phpcas package instead of the apereo/phpcas package, dependabot on github is unable to report the security alerts.
So maybe the jasig/phpcas package should have "abandoned" status to motivate developers to migrate to the apereo/phpcas package?
There is also a lack of information on packagist.org. Only apereo/phpcas package announces security alerts :
https://packagist.org/packages/apereo/phpcas
https://packagist.org/packages/jasig/phpcas
Thanks for the info. Makes sense but currently the package is owned by someone else....
Do you mean that the jfristschi account referenced as maintainer on jasig/phpcas package is not yours ?
I can try to contact someone at packgist.org if you agree.
The account jfritschi is mine. But the apereo/phpcas package that you propose as future package is owned by someone else...
Oh, I thought that apereo/phpcas package was owned by someone from apereo...
I see the user with the same profile picture is on GitHub as @wuwx. We might need to do a more official outreach but looks like at least one of the maintainers here needs to have admin access of that packagist package to proceed.
Since c98aa74 there is a some security risk for projects using phpCAS via composer :
- when using "jasig/phpcas" : projects have no security warning from dependabot.
- when using "apereo/phpcas" : in case of the owner's account take over ( https://blog.packagist.com/packagist-org-maintainer-account-takeover/ ) or owner bad mood actions. This is limited since https://github.com/composer/packagist/pull/1374?ref=blog.packagist.com .
What happened?On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and
Package Repository Website - try https://packagist.com if you need your own - - Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist
I have sent a message to packagist and hope they can simply transfer ownership of the package to me....
I have gained ownership and have now marked jasig/phpcas as abandoned and pointed to apereo/phpcas.
Great! Thank you @jfritschi!
I confirm that it works as expected:
$ composer update jasig/phpcas
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
**Package jasig/phpcas is abandoned, you should avoid using it. Use apereo/phpcas instead.**
Generating autoload files
So I can close my issue. :)