Feeling Lucky
RTC
Composer Dependency Changed
bug
PR-6.0-dev
[#46660] - [6.0] Composer update paragonie/sodium_compat to v1.24.0 to fix composer audit warnings
- Fixed in Code Base
- 13 Jan 2026
- Medium
- Build: 6.0-dev
- # 46660
- Diff
- richard67:6.0-dev-composer-audit-fix-2026-01-08
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) updates the composer dependency "paragonie/sodium_compat" from version 1.21.2 to version 1.24.0 in order to fix two medium severity security vulnerabilities reported by composer audit.
@Bodge-IT @softforge It is the same as PR #46659 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict or update the checksum in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in composer.json and composer lock and keep the files from 6.0-dev.
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information here:
- https://github.com/paragonie/sodium_compat/releases/tag/v1.22.0
- https://github.com/paragonie/sodium_compat/releases/tag/v1.23.0
- https://github.com/paragonie/sodium_compat/releases/tag/v1.24.0
Actual result BEFORE applying this Pull Request
Found 3 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | paragonie/sodium_compat |
| Severity | medium |
| CVE | CVE-2025-69277 |
| Title | libsodium has Incomplete List of Disallowed Inputs |
| URL | https://github.com/advisories/GHSA-mrfv-m5wm-5w6w |
| Affected versions | <1.24.0|>=2,<2.5.0 |
| Reported at | 2025-12-31T06:30:18+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | paragonie/sodium_compat |
| Severity | |
| CVE | NO CVE |
| Title | Missing check that a point is on the prime subgroup for Edwards25519 |
| URL | https://00f.net/2025/12/30/libsodium-vulnerability |
| Affected versions | >=2,<2.5.0|<1.24.0 |
| Reported at | 2025-12-30T00:00:00+00:00 |
| Advisory ID | PKSA-8x19-j2j3-bn67 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
Expected result AFTER applying this Pull Request
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
The update does not include any breaking changes.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Title |
|
||||||
Bodge-IT
- comment
- 13 Jan 2026
I have tested this item ✅ successfully on 7cb75fc
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
bug
Composer Dependency Changed
PR-5.4-dev
|
||
richard67
- comment
- 13 Jan 2026
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.
| Labels |
Added:
RTC
PR-6.0-dev
Removed: PR-5.4-dev |
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-01-13 18:12:20 |
| Closed_By | ⇒ | softforge |
softforge
- comment
- 13 Jan 2026
Thank you @richard67 and all who tested them
I have tested this item ✅ successfully on 7cb75fc
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46660.