Skip to content

[5.4] Composer update 3 development dependencies to fix audit warnings 2026-02-03#46821

Merged
muhme merged 2 commits intojoomla:5.4-devfrom
richard67:5.4-dev-composer-audit-fix-2026-02-01
Feb 4, 2026
Merged

[5.4] Composer update 3 development dependencies to fix audit warnings 2026-02-03#46821
muhme merged 2 commits intojoomla:5.4-devfrom
richard67:5.4-dev-composer-audit-fix-2026-02-01

Conversation

@richard67
Copy link
Copy Markdown
Member

@richard67 richard67 commented Feb 3, 2026

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates 1 direct and 2 indirect composer dependencies in order to fix one high and one medium severity vulnerability reported by composer audit.

They are all development dependencies and so not shipped with installation or update packages.

In detail following dependencies are updated:

  1. Direct development dependency "phpunit/phpunit" from 9.6.29 to 9.6.34
  1. Indirect development dependency "sebastian/comparator" from 4.0.9 to 4.0.10
    This is needed for the previously mentioned update.
  1. Indirect development dependency "symfony/process" from 6.4.25 to 6.4.33

Testing Instructions

  1. Run composer install and then composer audit.
  2. Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
  3. Check that all CI actions are successful.

Actual result BEFORE applying this Pull Request

  1. Composer audit
------------------------------------------
Found 3 security vulnerability advisories affecting 3 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpunit/phpunit                                                                  |
| Severity          | high                                                                             |
| CVE               | CVE-2026-24765                                                                   |
| Title             | PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling      |
| URL               | https://github.com/advisories/GHSA-vvj3-c3rp-c85p                                |
| Affected versions | >=12.0.0,<12.5.8|>=11.0.0,<11.5.50|>=10.0.0,<10.5.62|>=9.0.0,<9.6.33|<8.5.52     |
| Reported at       | 2026-01-27T22:26:22+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/process                                                                  |
| Severity          | medium                                                                           |
| CVE               | CVE-2026-24739                                                                   |
| Title             | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to           |
|                   | destructive file operations on Windows                                           |
| URL               | https://github.com/advisories/GHSA-r39x-jcww-82v6                                |
| Affected versions | >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51                    |
| Reported at       | 2026-01-28T21:28:10+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. Not applicable.
  2. All CI actions are successful.

Expected result AFTER applying this Pull Request

  1. Composer audit
-----------------------------------------
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-3mms-4n3p-ym65                                                              |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. No breaking changes.
  2. All CI actions are successful.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@richard67 richard67 added the bug label Feb 3, 2026
@richard67 richard67 mentioned this pull request Feb 3, 2026
Merged
4 tasks
@brianteeman
Copy link
Copy Markdown
Contributor

brianteeman commented Feb 3, 2026

I have tested this item ✅ successfully on 1f918fb

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46821.

muhme
muhme approved these changes Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@muhme muhme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Final code review and test before merge with local git clone

  • Checked file changes
  • Seen composer.json change is only dev dependency
  • Scrolled through 3rd party changes
  • Seen the 3 vulnerabilities before PR
  • Applied PR with gh pr checkout 46821 and running composer i
  • composer audit shows only the one web-auth/webauthn-lib vulnerability as expected

@muhme muhme merged commit 42021ed into joomla:5.4-dev Feb 4, 2026
69 of 70 checks passed
@muhme muhme added this to the Joomla! 5.4.3 milestone Feb 4, 2026
@richard67 richard67 deleted the 5.4-dev-composer-audit-fix-2026-02-01 branch February 4, 2026 09:48
@muhme
Copy link
Copy Markdown
Contributor

muhme commented Feb 4, 2026

Thank you @richard67 for your contribution. Thank you @brianteeman for testing.

sathwikre pushed a commit to sathwikre/joomla-cms that referenced this pull request Feb 9, 2026
@richard67 @sathwikre
[5.4] Fix composer audit warnings 2026-02-01 (joomla#46821)
0612b09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muhme muhme muhme approved these changes

Assignees

@muhme muhme

Labels

bug Composer Dependency Changed PR-5.4-dev

Projects

None yet

Milestone

Joomla! 5.4.3

Development

Successfully merging this pull request may close these issues.

4 participants

@richard67 @brianteeman @muhme @joomla-cms-bot