Feeling Lucky
[#47848] - [6.1] Composer update symfony/yaml to v6.4.41 to fix 3 security vulnerabilities
- Pending
- Medium
- Build: 6.1-dev
- # 47848
- Diff
- richard67:6.1-dev-composer-audit-fix-2026-05-27
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates the composer dependency "symfony/yaml" from version v6.4.34 to version v6.4.41 to fix three security vulnerabilities of unknown severity reported by composer audit.
Release notes:
- https://github.com/symfony/yaml/releases/tag/v6.4.38
- https://github.com/symfony/yaml/releases/tag/v6.4.39
- https://github.com/symfony/yaml/releases/tag/v6.4.40
- https://github.com/symfony/yaml/releases/tag/v6.4.41
All changes: symfony/yaml@v6.4.34...v6.4.41
Hint for 6.2 Release Managers
As currently composer.json and composer.lock on the 6.2-dev branch are equal to the files on 6.1-dev, this PR here can be merged up into 6.2-dev without having to worry about the checksum in the lock file after it has been merged into 6.1-dev.
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 3 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | |
| Advisory ID | PKSA-v5yj-8nmz-sk2q |
| CVE | CVE-2026-45304 |
| Title | CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive |
| | Collection-Alias Expansion ("Billion Laughs") |
| URL | https://symfony.com/cve-2026-45304 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | |
| Advisory ID | PKSA-ft77-7h5f-p3r6 |
| CVE | CVE-2026-45305 |
| Title | CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in |
| | Parser::cleanup() Regex |
| URL | https://symfony.com/cve-2026-45305 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | |
| Advisory ID | PKSA-b14r-zh1d-vdrc |
| CVE | CVE-2026-45133 |
| Title | CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested |
| | Blocks, Sequences, and Mappings |
| URL | https://symfony.com/cve-2026-45133 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
richard67
- comment
- 29 May 2026
you don't need to create such PRs no release will be done in the next 5 weeks. thanks
@HLeithner Shall I close it?
you don't need to create such PRs no release will be done in the next 5 weeks. thanks