How to know which module version to use?

I’m sure I’m missing something here…

AFAIK box.json has the versions required for a particular build. This is great when you are rebuilding a site but seemingly of no use when doing a new build.

I’m running the coldbox create app soapbox which uses Coldbox 6

Then I add the cbsecurity module - install cbsecurity - just to try to get the security visualizer working.

It auto loads 3.0.0 latest which I can’t get working with Coldbox 6.

How do I make sure that the cbsecurity version is correct for ColdBox 6? This also applies to all the other modules…


Tony Legge

I’ve made some progress…

cbsecurity latest does not work with coldbox 6 but cbsecurity ^2.0.0 does.

My question is - how to tell what works with what…

Which version of Coldbox 6 are you on? I’m using cbSecurity v3 on several apps running on Coldbox 6.

The configuration differences between v2 and v3 are pretty different, though.

box.json tells me coldbox ^6.0.0

The frustrating part is that many of the demos don’t work as well. It’s fine when you have done this for a while but as a newbie it’s very disheartening.

I’ve got Luis to update the hero to zero github lessons - he’s in the process of doing that now as the fastest way to turn off anybody new to Coldbox/CFML is to have a suite of things that don’t work.

If you look in /coldbox/box.json it will tell you the specific version installed. If you could provide more specifics in to what is “not working”, I would be happy to try to assist you.

Hi Jon

I’ve got cbsecurity working so I’ve moved forwards by using ^2.0.0.

My box.json -


Which I understand to be the latest coldbox 6 and the latest cbsecurity 2.


I fixed your title. It’s not hard to get to 15 characters when you describe the actual problem :slight_smile:

To install a specific version of a package, the syntax works the same as npm

install cbsecurity@^2

But from what Jon said, it seems cbsecurity 3.x is expected to work on ColdBox 6, so if it’s not can you share the errors you received. Perhaps it’s a bug we just need to fix.

Thanks for updating the title! :grinning:

It’s confusing - look at FORGEBOX: ColdBox Security - It clearly says -


  • Lucee 5+
  • ColdFusion 2018+
  • ColdBox 7+ for delegates and basic auth

So what to make of it?

The output after installation was Page Not Found. I’m not sure that I got the setup right - It is very different.

My main point is that it is really hard to know where the problem is when you are learning. For example often a small change will report a bug in the coldbox code, hundreds of lines into the system - where does one go to sort that? If you remember I asked about using git on the actual server so that it is possible to return to the original code. Many times I’ve had to scrap the whole demo and start again when I have a problem that I can’t solve.

The point that I made to Luis was that for all good tutorials, everything should work on latest so that anybody coming into the CFML world at least has a chance of following instructions that work. There also needs to be a clear out of many, many old tutorials that don’t apply any longer.

But I still have the issue of what module version to use - There are 45 versions of cbsecurity for example…

Yes, we get it. The demo didn’t work and it’s frustrating. But you’ve got to put as much effort into detailing the exact commands and steps you took as you’re taking telling us how it doesn’t work or we can’t help you very well :slight_smile:

I don’t work a lot with cbsecurity, so perhaps @lmajano can chime in to clarify the requirements. I will point out that ColdBox 7 isn’t even released yet! It’s in beta right now, which explains why our ColdBox app templates don’t use it yet. I’m a little surprised Luis would put ColdBox 7 in the requirements list when that isn’t even a stable version of ColdBox, but it appears you only need ColdBox 7 if you plan on using the delegates and basic auth features. I would assume the rest of cbsecurity works find on ColdBox 6 and I would suggest @lmajano update that readme to clarify until such a time that ColdBox 7 is actually released.

What command did you use to install it? What is the output of package list? What URL did you hit? Can you show a screenshot of the “page not found” as it’s not clear if you are talking about a 404 from your web server, or a ColdBox error page, or what.

I’ll chime in with a bit of support for this: “My main point is that it is really hard to know where the problem is when you are learning.” For all the effort Ortus has put into the demos and the docs, it is exceptionally easy to make a simple mistake that is impossible to find. I am very careful to do one little thing at a time. I find myself retreating to a working state all the time because I needed to be even more careful to do less.

I’m very happy with ColdBox and we’re actively integrating it into our shop. Once you figure things out, it is pretty straightforward.

I followed the course exactly - I know it is in the process of being updated. Why do I need to explain the steps as they are documented in the course. If you did the course you would have the same problems.

From a newbie perspective, these areas are black boxes - if a course is there it should work and if this was a requirement for releasing a new module then this confusion might not occur.

When an error comes back from ColdBox system saying line 554 has a bug in its code what should a newbie do? He’s followed the course exactly and it does not work. The only alternative is to scrap the demo and start again.

I’m trying to be constructive here - I have to learn Coldbox and want to learn Coldbox but the courses need to work with correct module versions at least pinned. The alternative is that any course works with the latest versions of all modules.

I agree with your sentiment but if the tests were done properly they should show up these issues. The question is - do you trust your tests enough to ship?

I also want to work with ColdBox but having used very modern tooling I do get a bit frustrated when silly problems break things…

I’m committed to helping you, but I’ll be real honest. If you want this level of support without putting any effort on your end to even giving us details of the error, etc I’d recommend purchasing some consulting hours or a training and one of us can sit down with you go over your questions in person. I’m not going to go find a course and go through the entire thing, guessing if you ran the commands correctly just to provide free support for you on the forum. If you can tell me you installed version xyz of a module and run code abc and got error “screenshot”, you’re a lot more likely to get useful help.

I believe @gpickin created the original Soapbox course (I could be wrong) so maybe he knows more about what’s in that course, but I suspect he’s going to ask the same sort of questions I asked above.

I’m not looking for support - I’m happy to learn as I go, but to do that I need to recreate the tutorials and get them working - not bothering you and other members of the community for bugs and omissions. Proper tests for the tutorials should pass when new modules are released. Then they can be updated.

My point is that for anybody new coming into ColdBox the requirement is that the tutorials work - all the old and out of date courses are utterly irrelevant for learning. In the future if they require old versions for their projects then they can look back at archived courses.

Have a look at CFCasts for example and imagine you are just coming into ColdBox…

My original question still has not been answered - How on earth do you know what module versions go with what?

You read the README’s of each module. They should list their requirements and dependencies in it.

1 Like

I went to cbsecurity - I’m assuming GitHub - GitHub - coldbox-modules/cbsecurity: Annotation, rule driven security and authentication for ColdBox Applications!

I looked at the for the version to use for ColdBox 6. I can’t find anything…

Could you point it out please.

Looks like @lmajano was overzealous in his README editing. Here is a version without ColdBox 7 listed. cbsecurity/ at b921ceab2409a20b658e09f49d00974b84c3eace · coldbox-modules/cbsecurity · GitHub

So all 45 versions of cbsecurity will work with this? I’ve looked at other modules and they don’t give any idea of the module level required either.

This seems really important, if you are not going to waste hours playing…

How do you go about constructing a new site - how do you chose the module rev levels?

You can also check out the official docs here:

As for what versions we pick, we pick them one at a time, module by module, usually using the latest. Most modules give an idea of what version is needed either in release notes or on the README.

Sounds like cbsecurity had an update at some point that was breaking for Soapbox. While not intentional, that can happen. When it does in our own apps, we go back to the last working version.

If using a module feels like too much guess work for you, that’s okay! You’re not the only person that writes their own code instead of using a module. Use what makes you feel productive. :+1:t2:

@Eggely Tony, I have explained this to you personally via email. I don’t think you are stopping and realizing that I am updating the course, and nothing will work until I am done. I told you this. So please be patient until I update the course so it can get up to standards to newer versions.

I also explained the issue with the course pre-update: the mismatch of versions of packages. Again, this is an oversight on our part that when we did the course 3 years ago, the latest build for cbsecurity was version 2.x. If you run the same commands, it will bring the latest version, and of course, the chance of it working is not good because things change.

I also explained that this goes to any package manager or docker container image you use. If you use the latest tag, it can be problematic down the road.

Once again, I ask you be patient, until I complete the training upgrade so you can run through and test it.