Skip to content

chore: resolve open dependabot security alerts#139

Open
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#139
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

Resolved 20 open Dependabot security alerts by bumping vulnerable dependencies across the SDK and example apps.

Dependabot Alerts Resolved

Alert Package Severity Fix
#37, #34, #33, #32, #31, #28 guzzlehttp/guzzle medium Bumped to 7.13.1 in main + all example lockfiles
#36, #29 guzzlehttp/guzzle medium Bumped to 7.13.1 (HTTPS-Proxy downgrade)
#35, #30, #27, #26 guzzlehttp/psr7 medium Bumped to 2.12.3 (CRLF injection in HTTP Start-Line)
#25, #23, #21, #20 guzzlehttp/psr7 medium Bumped to 2.12.3 (CRLF injection via URI Host)
#24, #22, #19, #18 guzzlehttp/psr7 medium Bumped to 2.12.3 (Host confusion via Authority reinterpretation)

Also bumped phpunit/phpunit 10.5.45 to 10.5.63 to resolve CVE-2026-24765 (unsafe deserialization in PHPT code coverage handling, high severity).

All 22 tests pass locally.

- guzzlehttp/guzzle 7.9.2 -> 7.13.1 (medium, alerts #28, #29, #31, #32, #33, #34, #36, #37)
- guzzlehttp/psr7 2.7.0 -> 2.12.3 (medium, alerts #18, #19, #20, #21, #22, #23, #24, #25, #26, #27, #30, #35)
- phpunit/phpunit 10.5.45 -> 10.5.63 (high, CVE-2026-24765)
Copilot AI review requested due to automatic review settings July 2, 2026 13:39
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:39
@jonathannorris jonathannorris enabled auto-merge (squash) July 2, 2026 13:39

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Composer dependencies in the PHP Server SDK and example apps to address open Dependabot security alerts by bumping vulnerable packages (notably guzzlehttp/guzzle, guzzlehttp/psr7, and phpunit/phpunit) and regenerating lockfiles.

Changes:

  • Bumped guzzlehttp/guzzle to 7.13.1 and guzzlehttp/psr7 to 2.12.3 in lockfiles.
  • Bumped phpunit/phpunit (and related dev dependencies) in the root lockfile.
  • Updated example app lockfiles to align with the patched dependency set.

Reviewed changes

Copilot reviewed 2 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
composer.json Updates dependency constraints for Guzzle/Psr7 and PHPUnit.
composer.lock Pins updated dependency graph (including Guzzle/Psr7 and PHPUnit transitive updates).
examples/hello-world/composer.lock Updates example lockfile dependency graph to patched versions.
examples/hello-world-http-proxy/composer.lock Updates example lockfile dependency graph to patched versions.
examples/hello-world-udp-proxy/composer.lock Updates example lockfile dependency graph to patched versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread composer.json Outdated
Comment on lines 23 to 29
@@ -24,12 +24,12 @@
"ext-curl": "*",
"ext-json": "*",
"ext-mbstring": "*",
"guzzlehttp/guzzle": "^7.9.2",
"guzzlehttp/psr7": "^2.7.0",
"guzzlehttp/guzzle": "^7.12.1",
"guzzlehttp/psr7": "^2.12.1",
"open-feature/sdk": "^2.0.10"

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in f61c539: bumped the PHP requirement in composer.json from >=8.0 to >=8.1 to accurately reflect what the locked dependency graph actually requires (symfony/deprecation-contracts v3.7.1, phpunit 10, and other packages all require PHP >=8.1).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants