Skip to content

[6.0] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings#46660

Merged
softforge merged 2 commits intojoomla:6.0-devfrom
richard67:6.0-dev-composer-audit-fix-2026-01-08
Jan 13, 2026
Merged

[6.0] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings#46660
softforge merged 2 commits intojoomla:6.0-devfrom
richard67:6.0-dev-composer-audit-fix-2026-01-08

Conversation

@richard67
Copy link
Copy Markdown
Member

@richard67 richard67 commented Jan 10, 2026
edited
Loading

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates the composer dependency "paragonie/sodium_compat" from version 1.21.2 to version 1.24.0 in order to fix two medium severity security vulnerabilities reported by composer audit.

@Bodge-IT @softforge It is the same as PR #46659 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict or update the checksum in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in composer.json and composer lock and keep the files from 6.0-dev.

Testing Instructions

  1. Run composer install and then composer audit.
  2. Verify that there are no breaking changes done with this update by checking the release information here:

Actual result BEFORE applying this Pull Request

Found 3 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          | medium                                                                           |
| CVE               | CVE-2025-69277                                                                   |
| Title             | libsodium has Incomplete List of Disallowed Inputs                               |
| URL               | https://github.com/advisories/GHSA-mrfv-m5wm-5w6w                                |
| Affected versions | <1.24.0|>=2,<2.5.0                                                               |
| Reported at       | 2025-12-31T06:30:18+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

Expected result AFTER applying this Pull Request

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

The update does not include any breaking changes.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@richard67 richard67 changed the title [6.0] [WiP] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings [6.0] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings Jan 10, 2026
@richard67 richard67 added the bug label Jan 10, 2026
@richard67 richard67 marked this pull request as ready for review January 10, 2026 16:42
@richard67 richard67 added this to the Joomla! 6.0.3 milestone Jan 10, 2026
@brianteeman
Copy link
Copy Markdown
Contributor

brianteeman commented Jan 11, 2026

I have tested this item ✅ successfully on 7cb75fc

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.

1 similar comment
@Bodge-IT
Copy link
Copy Markdown
Contributor

Bodge-IT commented Jan 13, 2026

I have tested this item ✅ successfully on 7cb75fc

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.

@joomla-cms-bot joomla-cms-bot removed this from the Joomla! 6.0.3 milestone Jan 13, 2026
@richard67
Copy link
Copy Markdown
Member Author

richard67 commented Jan 13, 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Jan 13, 2026
@richard67 richard67 added this to the Joomla! 6.0.3 milestone Jan 13, 2026
@softforge softforge merged commit c043099 into joomla:6.0-dev Jan 13, 2026
51 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Jan 13, 2026
@softforge
Copy link
Copy Markdown
Contributor

softforge commented Jan 13, 2026

Thank you @richard67 and all who tested them

@richard67 richard67 deleted the 6.0-dev-composer-audit-fix-2026-01-08 branch January 13, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@softforge softforge

@Bodge-IT Bodge-IT

Labels

bug Composer Dependency Changed PR-6.0-dev

Projects

None yet

Milestone

Joomla! 6.0.3

Development

Successfully merging this pull request may close these issues.

5 participants

@richard67 @brianteeman @Bodge-IT @softforge @joomla-cms-bot