Skip to content

[6.0] Composer update 3 development dependencies to fix audit warnings 2026-02-03#46822

Merged
Bodge-IT merged 2 commits intojoomla:6.0-devfrom
richard67:6.0-dev-composer-audit-fix-2026-02-01
Feb 5, 2026
Merged

[6.0] Composer update 3 development dependencies to fix audit warnings 2026-02-03#46822
Bodge-IT merged 2 commits intojoomla:6.0-devfrom
richard67:6.0-dev-composer-audit-fix-2026-02-01

Conversation

@richard67
Copy link
Copy Markdown
Member

@richard67 richard67 commented Feb 3, 2026
edited
Loading

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates 1 direct and 2 indirect composer dependencies in order to fix one high and one medium severity vulnerability reported by composer audit.

They are all development dependencies and so not shipped with installation or update packages.

@Bodge-IT @softforge It is the same as PR #46821 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict or update the checksum in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in composer.lock and keep the file from 6.0-dev.

In detail following dependencies are updated:

  1. Direct development dependency "phpunit/phpunit" from 9.6.29 to 9.6.34
  1. Indirect development dependency "sebastian/comparator" from 4.0.9 to 4.0.10
    This is needed for the previously mentioned update.
  1. Indirect development dependency "symfony/process" from 6.4.25 to 6.4.33

Testing Instructions

  1. Run composer install and then composer audit.
  2. Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
  3. Check that all CI actions are successful.

Actual result BEFORE applying this Pull Request

  1. Composer audit
------------------------------------------
Found 3 security vulnerability advisories affecting 3 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpunit/phpunit                                                                  |
| Severity          | high                                                                             |
| CVE               | CVE-2026-24765                                                                   |
| Title             | PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling      |
| URL               | https://github.com/advisories/GHSA-vvj3-c3rp-c85p                                |
| Affected versions | >=12.0.0,<12.5.8|>=11.0.0,<11.5.50|>=10.0.0,<10.5.62|>=9.0.0,<9.6.33|<8.5.52     |
| Reported at       | 2026-01-27T22:26:22+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/process                                                                  |
| Severity          | medium                                                                           |
| CVE               | CVE-2026-24739                                                                   |
| Title             | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to           |
|                   | destructive file operations on Windows                                           |
| URL               | https://github.com/advisories/GHSA-r39x-jcww-82v6                                |
| Affected versions | >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51                    |
| Reported at       | 2026-01-28T21:28:10+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. Not applicable.
  2. All CI actions are successful.

Expected result AFTER applying this Pull Request

  1. Composer audit
-----------------------------------------
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-3mms-4n3p-ym65                                                              |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. No breaking changes.
  2. All CI actions are successful.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@richard67 richard67 added the bug label Feb 3, 2026
@brianteeman
Copy link
Copy Markdown
Contributor

brianteeman commented Feb 3, 2026

I have tested this item ✅ successfully on a828e07

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46822.

@krishnagandhicode
Copy link
Copy Markdown
Contributor

krishnagandhicode commented Feb 4, 2026
edited
Loading

I have tested this item ✅ successfully on a828e07

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46822.

before:
Screenshot 2026-02-04 234338

after:
Screenshot 2026-02-04 234635

@richard67
Copy link
Copy Markdown
Member Author

richard67 commented Feb 4, 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46822.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Feb 4, 2026
@richard67 richard67 added this to the Joomla! 6.0.3 milestone Feb 4, 2026
@Bodge-IT Bodge-IT merged commit e983c71 into joomla:6.0-dev Feb 5, 2026
98 of 100 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Feb 5, 2026
@Bodge-IT
Copy link
Copy Markdown
Contributor

Bodge-IT commented Feb 5, 2026

Thanks @richard67 for the prep and thanks @brianteeman and @krishnagandhicode for your time in testing.

@richard67 richard67 deleted the 6.0-dev-composer-audit-fix-2026-02-01 branch February 5, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@softforge softforge

@Bodge-IT Bodge-IT

Labels

bug Composer Dependency Changed PR-6.0-dev

Projects

None yet

Milestone

Joomla! 6.0.3

Development

Successfully merging this pull request may close these issues.

6 participants

@richard67 @brianteeman @krishnagandhicode @Bodge-IT @softforge @joomla-cms-bot