Feeling Lucky
Composer Dependency Changed
PR-5.4-dev
[#48018] - [5.4] Composer updates 2026-06-24
- Fixed in Code Base
- 24 Jun 2026
- Medium
- Build: 5.4-dev
- # 48018
- Diff
- richard67:5.4-dev-composer-audit-fix-2026-06-24
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates 1 direct and 2 indirect composer dependencies in order to fix 2 high and 6 medium severity vulnerability reported by composer audit.
In detail following dependencies are updated:
- guzzlehttp/psr7 from 2.8.0 to 2.12.3 - indirect dependency of direct non-development dependency php-tuf/php-tuf (our backport)
See https://github.com/guzzle/psr7/blob/2.12/CHANGELOG.md - phpseclib/phpseclib from 3.0.52 to 3.0.55 - indirect dependency of direct non-development dependency phpseclib/bcmath_compat
See https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md - web-token/jwt-library from 3.4.8 to 3.4.10 - direct non-development dependency
https://github.com/web-token/jwt-library/releases/tag/3.4.9
https://github.com/web-token/jwt-library/releases/tag/3.4.10
web-token/jwt-library@3.4.8...3.4.10
See also the separate commits of this PR.
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
- Check that all CI actions are successful.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 9 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-7qs6-zvnz-h66r |
| CVE | CVE-2026-55766 |
| Title | CRLF injection in HTTP start-line serialization |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432 |
| Affected versions | <2.12.1 |
| Reported at | 2026-06-18T09:49:37+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-gm5x-j3mz-71n9 |
| CVE | CVE-2026-49214 |
| Title | CRLF injection via URI host component |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw |
| Affected versions | <2.10.2 |
| Reported at | 2026-05-25T22:58:15+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-jj5t-2zs1-dcfm |
| CVE | CVE-2026-48998 |
| Title | Host confusion via authority reinterpretation |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph |
| Affected versions | <2.10.2 |
| Reported at | 2026-05-25T22:58:15+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | medium |
| Advisory ID | PKSA-432p-hv1d-chf7 |
| CVE | NO CVE |
| Title | phpseclib: X.509 certificate validation sends attacker-controlled outbound |
| | requests (server-side request forgery) via Authority Information Access |
| URL | https://github.com/advisories/GHSA-m557-wrgg-6rp4 |
| Affected versions | >=3.0.0,<=3.0.53|>=2.0.0,<=2.0.54|>=0.1.1,<=1.0.29 |
| Reported at | 2026-06-16T15:03:58+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | medium |
| Advisory ID | PKSA-58h1-qnck-61bt |
| CVE | NO CVE |
| Title | JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion |
| | attacks |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-jc38-x7x8-2x |
| | c8 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:30:13+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | high |
| Advisory ID | PKSA-237v-kv6c-dpkr |
| CVE | NO CVE |
| Title | RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a |
| | Bleichenbacher/Marvin padding oracle |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-5739-39v2-57 |
| | 54 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:27:24+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | high |
| Advisory ID | PKSA-66dc-42nb-26yy |
| CVE | NO CVE |
| Title | Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication |
| | tag, performing no authentication on decryption |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-6vvh-pxr4-25 |
| | r7 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:27:05+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | medium |
| Advisory ID | PKSA-qw7k-npv6-3pbk |
| CVE | NO CVE |
| Title | PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling |
| | CPU-amplification denial of service |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-3prj-6hqw-cm |
| | 82 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:26:43+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
- All CI actions are successful.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
- All CI actions are successful.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-06-24 13:09:59 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
Composer Dependency Changed
PR-5.4-dev
|
||
Thank you very much @richard67 for your contribution.