Feeling Lucky
Composer Dependency Changed
PR-6.1-dev
[#48019] - [6.1] Composer updates 2026-06-24
- Fixed in Code Base
- 25 Jun 2026
- Medium
- Build: 6.1-dev
- # 48019
- Diff
- richard67:6.1-dev-composer-audit-fix-2026-06-24
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates 2 direct and 2 indirect composer dependencies in order to fix 3 low, 2 high and 6 medium severity vulnerability reported by composer audit.
In detail following dependencies are updated:
- guzzlehttp/psr7 from 2.9.0 to 2.12.3 - indirect dependency of direct non-development dependency php-tuf/php-tuf (our backport)
See https://github.com/guzzle/psr7/blob/2.12/CHANGELOG.md - phpseclib/phpseclib from 3.0.52 to 3.0.55 - indirect dependency of direct non-development dependency phpseclib/bcmath_compat
See https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md - web-token/jwt-library from 3.4.9 to 3.4.10 - direct non-development dependency
https://github.com/web-token/jwt-library/releases/tag/3.4.10
web-token/jwt-library@3.4.9...3.4.10 - symfony/yaml from 6.4.34 to 6.4.41- direct non-development dependency
https://github.com/symfony/yaml/releases/tag/v6.4.38
https://github.com/symfony/yaml/releases/tag/v6.4.39
https://github.com/symfony/yaml/releases/tag/v6.4.40
https://github.com/symfony/yaml/releases/tag/v6.4.41
symfony/yaml@v6.4.34...v6.4.41
See also merged PR #47847 for 5.4-dev.
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
- Check that all CI actions are successful.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 11 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-7qs6-zvnz-h66r |
| CVE | CVE-2026-55766 |
| Title | CRLF injection in HTTP start-line serialization |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432 |
| Affected versions | <2.12.1 |
| Reported at | 2026-06-18T09:49:37+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-gm5x-j3mz-71n9 |
| CVE | CVE-2026-49214 |
| Title | CRLF injection via URI host component |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw |
| Affected versions | <2.10.2 |
| Reported at | 2026-05-25T22:58:15+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| Advisory ID | PKSA-jj5t-2zs1-dcfm |
| CVE | CVE-2026-48998 |
| Title | Host confusion via authority reinterpretation |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph |
| Affected versions | <2.10.2 |
| Reported at | 2026-05-25T22:58:15+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | medium |
| Advisory ID | PKSA-432p-hv1d-chf7 |
| CVE | NO CVE |
| Title | phpseclib: X.509 certificate validation sends attacker-controlled outbound |
| | requests (server-side request forgery) via Authority Information Access |
| URL | https://github.com/advisories/GHSA-m557-wrgg-6rp4 |
| Affected versions | >=3.0.0,<=3.0.53|>=2.0.0,<=2.0.54|>=0.1.1,<=1.0.29 |
| Reported at | 2026-06-16T15:03:58+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | low |
| Advisory ID | PKSA-v5yj-8nmz-sk2q |
| CVE | CVE-2026-45304 |
| Title | CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive |
| | Collection-Alias Expansion ("Billion Laughs") |
| URL | https://symfony.com/cve-2026-45304 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | low |
| Advisory ID | PKSA-ft77-7h5f-p3r6 |
| CVE | CVE-2026-45305 |
| Title | CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in |
| | Parser::cleanup() Regex |
| URL | https://symfony.com/cve-2026-45305 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/yaml |
| Severity | low |
| Advisory ID | PKSA-b14r-zh1d-vdrc |
| CVE | CVE-2026-45133 |
| Title | CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested |
| | Blocks, Sequences, and Mappings |
| URL | https://symfony.com/cve-2026-45133 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
| | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12 |
| Reported at | 2026-05-20T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | medium |
| Advisory ID | PKSA-58h1-qnck-61bt |
| CVE | NO CVE |
| Title | JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion |
| | attacks |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-jc38-x7x8-2x |
| | c8 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:30:13+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | high |
| Advisory ID | PKSA-237v-kv6c-dpkr |
| CVE | NO CVE |
| Title | RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a |
| | Bleichenbacher/Marvin padding oracle |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-5739-39v2-57 |
| | 54 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:27:24+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | high |
| Advisory ID | PKSA-66dc-42nb-26yy |
| CVE | NO CVE |
| Title | Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication |
| | tag, performing no authentication on decryption |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-6vvh-pxr4-25 |
| | r7 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:27:05+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-token/jwt-library |
| Severity | medium |
| Advisory ID | PKSA-qw7k-npv6-3pbk |
| CVE | NO CVE |
| Title | PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling |
| | CPU-amplification denial of service |
| URL | https://github.com/web-token/jwt-framework/security/advisories/GHSA-3prj-6hqw-cm |
| | 82 |
| Affected versions | <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7 |
| Reported at | 2026-06-06T16:26:43+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
- All CI actions are successful.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
- All CI actions are successful.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-06-25 07:24:30 |
| Closed_By | ⇒ | tecpromotion | |
| Labels |
Added:
Composer Dependency Changed
PR-6.1-dev
|
||
Thanks @richard67 and @muhme