Feeling Lucky
[#46822] - [6.0] Composer update 3 development dependencies to fix audit warnings 2026-02-03
- Pending
- Medium
- Build: 6.0-dev
- # 46822
- Diff
- richard67:6.0-dev-composer-audit-fix-2026-02-01
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) updates 1 direct and 2 indirect composer dependencies in order to fix one high and one medium severity vulnerability reported by composer audit.
They are all development dependencies and so not shipped with installation or update packages.
@Bodge-IT @softforge It is the same as PR #46821 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict or update the checksum in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in composer.lock and keep the file from 6.0-dev.
In detail following dependencies are updated:
- Direct development dependency "phpunit/phpunit" from 9.6.29 to 9.6.34
- https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.30
- https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.31
- https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.32
- https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33
- https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.34
- All changes sebastianbergmann/phpunit@9.6.29...9.6.34
- Indirect development dependency "sebastian/comparator" from 4.0.9 to 4.0.10
This is needed for the previously mentioned update.
- https://github.com/sebastianbergmann/comparator/releases/tag/4.0.10
- All changes sebastianbergmann/comparator@4.0.9...4.0.10
- Indirect development dependency "symfony/process" from 6.4.25 to 6.4.33
- https://github.com/symfony/process/releases/tag/v6.4.26
- https://github.com/symfony/process/releases/tag/v6.4.31
- https://github.com/symfony/process/releases/tag/v6.4.32
- https://github.com/symfony/process/releases/tag/v6.4.32
- https://github.com/symfony/process/releases/tag/v6.4.33
- All changes symfony/process@v6.4.25...v6.4.33
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
- Check that all CI actions are successful.
Actual result BEFORE applying this Pull Request
- Composer audit
------------------------------------------
Found 3 security vulnerability advisories affecting 3 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | phpunit/phpunit |
| Severity | high |
| CVE | CVE-2026-24765 |
| Title | PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling |
| URL | https://github.com/advisories/GHSA-vvj3-c3rp-c85p |
| Affected versions | >=12.0.0,<12.5.8|>=11.0.0,<11.5.50|>=10.0.0,<10.5.62|>=9.0.0,<9.6.33|<8.5.52 |
| Reported at | 2026-01-27T22:26:22+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | medium |
| CVE | CVE-2026-24739 |
| Title | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to |
| | destructive file operations on Windows |
| URL | https://github.com/advisories/GHSA-r39x-jcww-82v6 |
| Affected versions | >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51 |
| Reported at | 2026-01-28T21:28:10+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
- All CI actions are successful.
Expected result AFTER applying this Pull Request
- Composer audit
-----------------------------------------
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
- All CI actions are successful.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
I have tested this item ✅ successfully on a828e07
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46822.