Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46659] - [5.4] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings

Composer Dependency Changed bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
10 Jan 2026

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates the composer dependency "paragonie/sodium_compat" from version 1.21.2 to version 1.24.0 in order to fix two medium severity security vulnerabilities reported by composer audit.

Testing Instructions

  1. Run composer install and then composer audit.
  2. Verify that there are no breaking changes done with this update by checking the release information here:

Actual result BEFORE applying this Pull Request

Found 3 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          | medium                                                                           |
| CVE               | CVE-2025-69277                                                                   |
| Title             | libsodium has Incomplete List of Disallowed Inputs                               |
| URL               | https://github.com/advisories/GHSA-mrfv-m5wm-5w6w                                |
| Affected versions | <1.24.0|>=2,<2.5.0                                                               |
| Reported at       | 2025-12-31T06:30:18+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

Expected result AFTER applying this Pull Request

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

The update does not include any breaking changes.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 10 Jan 2026
avatar richard67 richard67 - change - 10 Jan 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 Jan 2026
Category External Library Composer Change
avatar richard67 richard67 - change - 10 Jan 2026
The description was changed
avatar richard67 richard67 - edited - 10 Jan 2026
avatar richard67 richard67 - change - 10 Jan 2026
Title
[5.4] [WiP] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings
[5.4] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings
avatar richard67 richard67 - edited - 10 Jan 2026
avatar richard67 richard67 - change - 10 Jan 2026
The description was changed
avatar richard67 richard67 - edited - 10 Jan 2026
avatar richard67 richard67 - change - 10 Jan 2026
The description was changed
avatar richard67 richard67 - edited - 10 Jan 2026
avatar brianteeman brianteeman - test_item - 11 Jan 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 11 Jan 2026

I have tested this item ✅ successfully on 577df76

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46659.

avatar muhme muhme - change - 12 Jan 2026
Labels Added: Composer Dependency Changed bug PR-5.4-dev
avatar muhme muhme - change - 12 Jan 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-01-12 14:30:37
Closed_By muhme
avatar muhme muhme - close - 12 Jan 2026
avatar muhme muhme - merge - 12 Jan 2026
avatar muhme
muhme - comment - 12 Jan 2026

Thank you @richard67 for your contribution. Thank you @brianteeman for testing.

Add a Comment

Login with GitHub to post a comment