Fix snipe/snipe-it major version constraints

[joelpittet]

Looks to be auto-generated in this commit 3bbc1ff

Fixes Original commit: "FriendsOfPHP/security-advisories@017f334"

Fixes snipe/snipe-it#10932

[Ocramius]

Hey @joelpittet! Changing it here will have no effect: it will be reverted once automation re-generates composer.json

Related: Roave/SecurityAdvisoriesBuilder#451
Related: Roave/SecurityAdvisoriesBuilder#459

I suggest finding out the source of this advisory - potentially wrong published data on the Github advisory DB?

See https://github.com/github/advisory-database

I'd say GHSA-636j-7x7r-gvw2 excludes everything below <= 6.0.0-RC5

[Ocramius]

Closing here: the issue is to be solved at the advisory source.

[joelpittet]

Thanks @Ocramius I'll dig up!

[joelpittet]

@Ocramius It's fixed, thanks for the pointer!

SecurityAdvisories/composer.json

Line 317 in 370b357

"snipe/snipe-it": "<5.4.2|>= 6.0.0-RC-1, <= 6.0.0-RC-5",

One question that you may know, it's a bit of a nitpik but the format of the generated constraint has a space between the operator and value, where most the other constraints don't have that space AND the formatting at GHSA-636j-7x7r-gvw2 didn't allow me to remove the space!

"snipe/snipe-it": "<5.4.2|>= 6.0.0-RC-1, <= 6.0.0-RC-5",
vs
"snipe/snipe-it": "<5.4.2|>=6.0.0-RC-1,<=6.0.0-RC-5",

My question is why is the format different, are they manually created in the other cases, or a different source?

[Ocramius]

That is a good question for which I don't have an answer: seems like a bug, potentially SecurityAdvisoriesBuilder not considering whitespace in its regexes, and therefore losing some context around this.

This may become more visible if/when there is a new security advisory on this package, and we observe wonky range merging there.

Until then, I suggest ignoring it.