Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: disallow vulnerable guzzle versions #2536

Merged
merged 1 commit into from
Dec 26, 2023
Merged

fix: disallow vulnerable guzzle versions #2536

merged 1 commit into from
Dec 26, 2023

Conversation

bshaffer
Copy link
Contributor

addresses #2535

@bshaffer bshaffer requested a review from a team as a code owner December 21, 2023 14:36
@gravelld
Copy link

Thanks for the fast turnaround (or, at least, commit)!

@bshaffer bshaffer merged commit d1830ed into main Dec 26, 2023
13 checks passed
@bshaffer bshaffer deleted the bshaffer-patch-2 branch December 26, 2023 17:01
@vojtasvoboda
Copy link
Contributor

This change downgraded my guzzlehttp/guzzle library from 7.8.1 to 7.4.5. Why? Guzzle versions after the 7.4.5 shouldn't be affected by CVE-2022-31090.

@gravelld
Copy link

gravelld commented Jan 4, 2024

As per https://getcomposer.org/doc/articles/versions.md#tilde-version-range- the caret modifier should probably be used. Tilde in this case means >=7.4.5 < 7.5 - so I guess that's why it was downgraded.

^7.4.5 would mean >=7.4.5 < 8.0.

@vojtasvoboda
Copy link
Contributor

So I created PR #2546 with caret used.

vojtasvoboda added a commit to vojtasvoboda/google-auth-library-php that referenced this pull request Jan 5, 2024
Disallow Guzzle versions listed in vulnerability [CVE-2022-31090](GHSA-25mq-v84q-4j7r) in same way as in googleapis/google-api-php-client library googleapis/google-api-php-client#2536
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants