Skip to content

Update security-flagged dependencies and require PHP 8.4 (#1564)#1569

Merged
KodeStar merged 1 commit into
2.xfrom
chore/security-dependency-updates
Jul 8, 2026
Merged

Update security-flagged dependencies and require PHP 8.4 (#1564)#1569
KodeStar merged 1 commit into
2.xfrom
chore/security-dependency-updates

Conversation

@KodeStar

@KodeStar KodeStar commented Jul 8, 2026

Copy link
Copy Markdown
Member

Problem

Refs #1564. The CVE/GHSA scan flagged several outdated Composer packages.

Change

Package From To Advisory
symfony/http-foundation 7.3.1 7.4.14 CVE-2025-64500 / GHSA-3rg7-wf37-54rm
phpunit/phpunit 10.5.47 10.5.64 CVE-2026-24765 / GHSA-vvj3-c3rp-c85p
aws/aws-sdk-php 3.349.3 3.388.0 GHSA-27qh-8cxx-2cr5
enshrined/svg-sanitize 0.21.0 0.22.0 GHSA-22wq-q86m-83fh

Some transitive dependencies pulled in by these updates now require PHP 8.4 — which matches the PHP runtime already shipped in the official LinuxServer image (php84). Rather than pinning the dependency tree back to the old floor, this bumps the project baseline to 8.4:

  • composer.json require.php^8.4
  • CI php-version8.4
  • readme.md updated (Laravel 11, PHP >= 8.4)

The refreshed vendor/ tree is included (this repo vendors its dependencies).

Out of scope

The remaining advisories in the report — php84, curl, libpq, git, sqlite-libs, busybox, coreutils — are OS packages from the LinuxServer base image, resolved by rebuilding the image on an updated base, not by a Composer change.

Verification

Full suite green (34 passing, 1 pre-existing skip) on PHP 8.4 / phpunit 10.5.64; SVGSanitizerTest (which exercises enshrined/svg-sanitize) passes on 0.22.0.

Bumps the packages reported by CVE/GHSA scans in #1564 to their patched
releases (with transitive dependencies):

- symfony/http-foundation 7.3.1 -> 7.4.14 (CVE-2025-64500 / GHSA-3rg7-wf37-54rm)
- phpunit/phpunit 10.5.47 -> 10.5.64 (CVE-2026-24765 / GHSA-vvj3-c3rp-c85p)
- aws/aws-sdk-php 3.349.3 -> 3.388.0 (GHSA-27qh-8cxx-2cr5)
- enshrined/svg-sanitize 0.21.0 -> 0.22.0 (GHSA-22wq-q86m-83fh)

Some transitive dependencies now require PHP 8.4, which matches the runtime
shipped in the official LinuxServer image, so the composer requirement is
raised to ^8.4, CI is pinned to PHP 8.4, and the readme is updated to match.

The remaining advisories in the report (php84, curl, libpq, git, sqlite,
busybox, coreutils) come from the LinuxServer base image, not this
repository, and are addressed by rebuilding the image on an updated base.

Refs #1564
@KodeStar KodeStar force-pushed the chore/security-dependency-updates branch from a139e93 to f69cbba Compare July 8, 2026 15:30
@KodeStar KodeStar changed the title Update dependencies flagged by security advisories (#1564) Update security-flagged dependencies and require PHP 8.4 (#1564) Jul 8, 2026
@KodeStar KodeStar mentioned this pull request Jul 8, 2026
@KodeStar KodeStar merged commit cb59689 into 2.x Jul 8, 2026
1 check passed
@LinuxServer-CI LinuxServer-CI moved this from PRs to Done in Issue & PR Tracker Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

2 participants