fix(FFESUPPORT-734): address open security vulnerabilities#59
Conversation
Clears the two open security advisories reported by `composer audit`, plus picks up other available minor/patch transitive bumps in the process. composer.json is unchanged — all bumps land via lockfile resolution within existing constraints. - HIGH GHSA-p2gh-cfq4-4wjc / CVE-2026-6409: google/protobuf v4.33.5 -> v5.35.0 (dev transitive) — DoS via negative varints / deep recursion. Patched in 4.33.6; we get the v5 line via google/cloud-storage's resolution since `^8.1` PHP allows it. - CVE-2026-45073: symfony/cache v7.3.5 -> v7.4.12 (prod) — SQL Injection in `PdoAdapter::doClear()` via unsanitized `$prefix`. Patched in >=7.4.12. Not yet propagated to the GitHub advisory database but flagged by Composer's audit / Symfony security team. Verified: - `composer audit` -> "No security vulnerability advisories found." - `composer validate --strict` -> clean. - `make test` -> 98 tests, 664 assertions, all pass (matches baseline). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous lockfile resolved against the developer's local PHP (8.5) and pulled in transitive deps that require PHP 8.4+ (symfony/var-exporter v8, doctrine/instantiator 2.1), which broke CI on its PHP 8.3 image. Add `config.platform.php: 8.1.0` so Composer's solver targets the project's declared minimum (`"php": "^8.1"`) regardless of who runs `composer update`. Re-resolves to: - google/protobuf v4.33.6 (still clears GHSA-p2gh-cfq4-4wjc) - symfony/cache v6.4.40 (still clears CVE-2026-45073 — 6.4.40 is the patched 6.4 line per the Symfony advisory) - symfony/var-exporter v6.4.37 (PHP 8.1-compatible) - doctrine/instantiator 2.0.0 (PHP 8.1-compatible) `composer audit` -> still 0 advisories. `make test` -> 98/98 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates Composer-resolved dependencies to eliminate reported security advisories while keeping the project’s dependency resolution consistent across developer environments by pinning the Composer platform PHP version to the repo’s declared minimum.
Changes:
- Re-resolves
composer.lockto clearcomposer auditsecurity advisories and pick up available transitive updates within existing constraints. - Pins Composer’s solver platform to PHP
8.1.0viacomposer.json(and corresponding lockfile metadata) to prevent lockfile drift based on local PHP versions.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| composer.json | Adds config.platform.php = 8.1.0 so dependency resolution targets the minimum supported PHP version consistently. |
| composer.lock | Updates the locked dependency graph (including symfony/cache and google/protobuf) and records the PHP platform override used for resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "php-http/discovery": true | ||
| }, | ||
| "platform": { | ||
| "php": "8.1.0" | ||
| } |
There was a problem hiding this comment.
🤖 Response from AI: Good catch — PR description was stale relative to the follow-up commit. Updated to call out the composer.json change explicitly, including the reasoning (pinning the solver platform to the declared ^8.1 floor so lockfile resolution is deterministic across developer PHP versions; without it, my local 8.5 had pulled in symfony/var-exporter v8 / doctrine/instantiator 2.1 which need PHP 8.4+ and broke CI on its 8.3 image).
|
🤖 Context from Claude: A few non-obvious things worth flagging for reviewers: 1. The 2. One of the two CVEs isn't in GitHub Dependabot yet. 3. Why the 4. Scope is intentionally lockfile + one config line. I did not bump any direct-dependency constraint in |
| "php-http/discovery": true | ||
| }, | ||
| "platform": { | ||
| "php": "8.1.0" |
There was a problem hiding this comment.
Is this breaking - did we support php < 8.1.0 prior to this?
typotter
left a comment
typotter
left a comment
There was a problem hiding this comment.
lgtm - just curious about blast radius of forcing php version
Summary
Closes FFESUPPORT-734.
Clears the 2 open security advisories that
composer auditreports againstmain, plus picks up other available minor/patch transitive bumps in the process.Vulnerabilities resolved
google/protobufcomposer.lock(dev)symfony/cachecomposer.lock(prod)PdoAdapter::doClear()via unsanitized$prefixFiles changed
composer.lock— re-resolved viacomposer update --with-all-dependencies. Many transitive minor/patch bumps; key cleared advisories above.composer.json— addedconfig.platform.php = 8.1.0. Composer's solver was previously implicitly targeting whatever PHP the person runningcomposer updatehappened to have installed; pinning the platform to the project's declared minimum ("php": "^8.1") makes lockfile resolution deterministic across developer environments and prevents CI breakage when transitive deps that require PHP 8.4+ (e.g.symfony/var-exporter v8,doctrine/instantiator 2.1) sneak in from a newer local dev PHP.Verification
composer audit— "No security vulnerability advisories found."composer validate --strict— clean.make test— 98 tests, 664 assertions, all pass (matchesmainbaseline).Run Testsworkflow — passing.Note
This PR was generated with Claude Code.