Skip to content

Fix CVE-2025-45769 and unblock CI#50

Merged
Keith-wright merged 4 commits into
masterfrom
fix/cve-2025-45769
Mar 2, 2026
Merged

Fix CVE-2025-45769 and unblock CI#50
Keith-wright merged 4 commits into
masterfrom
fix/cve-2025-45769

Conversation

@Keith-wright

@Keith-wright Keith-wright commented Feb 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps `firebase/php-jwt` from `^6.0` to `^7.0` to address CVE-2025-45769
  • Bumps `doctrine/instantiator` from `1.4.0` to `^1.5.0` to resolve a CI dependency conflict in the `prefer-lowest` matrix job
  • Updates test fixture secret keys from 19 bytes to 32 bytes to meet the minimum key length enforced by `firebase/php-jwt` v7 for HS256
  • Widens `overtrue/phplint` constraint to `^4.5 || ^5.5` so PHP 8.0 CI jobs resolve `4.5.0` (PHP 8.0-compatible) while PHP 8.1 prefer-stable jobs resolve `5.5.0`

Supersedes #48 — thank you to @atymic for the original contribution.

- Bump firebase/php-jwt from ^6.0 to ^7.0 to address CVE-2025-45769
  (GHSA-2x45-7fc3-mxwq, CWE-326 inadequate encryption strength).
  v6.x accepts arbitrarily short HMAC keys; v7.0 enforces minimum
  key length and rejects weak secrets.

- Bump doctrine/instantiator from 1.4.0 to ^1.5.0 to resolve a
  pre-existing dev dependency conflict that caused the prefer-lowest
  CI job to fail at dependency resolution before any tests could run.

Closes #48. Co-authored-by: atymic <atymic@users.noreply.github.com>
The test secret key was 19 bytes, below the 32-byte minimum that
firebase/php-jwt v7 enforces for HS256. Updated to a 32-byte key
across all three test files. No logic changes.
phplint 5.4.0 (the prefer-lowest resolved version under ^4.0 || ^5.0)
crashes with a fatal error on startup due to a missing
symfony/options-resolver dependency. Fixed in 5.5.0. Narrowing to
^5.5 ensures prefer-lowest installs a working version.
phplint 5.5.0 requires php ^8.1, so ^5.5 broke PHP 8.0 CI jobs.
^4.5 || ^5.5 resolves 4.5.0 on PHP 8.0 and 5.5.0 on PHP 8.1 prefer-stable,
avoiding all crashing versions (5.4.0) and PHP 8.1-only versions (5.4.2).
@Keith-wright Keith-wright merged commit 417df7c into master Mar 2, 2026
4 checks passed
@Keith-wright Keith-wright mentioned this pull request Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants