laravel-dompdf icon indicating copy to clipboard operation
laravel-dompdf copied to clipboard

Published 20 hours ago verified publisher icon barryvdh

Security vulnerability - phenx/php-svg-lib

Open InfosecCloudNB opened this issue 1 year ago • 5 comments

Describe the bug This wrapper uses dompdf/dompdf:^2.0.3. This version of phenx/php-svg-lib: >=0.3.3 <1.0.0 which has a HIGH vulnerability. Could we update the dompdf dependency to dompdf/dompdf:^2.0.7 as this uses phenx/php-svg-lib: >=0.5.2 <1.0.0 which addresses the vulnerability?

InfosecCloudNB avatar Apr 25 '24 10:04 InfosecCloudNB

I think it would be better to add that to https://github.com/dompdf/dompdf directly.

barryvdh avatar Apr 25 '24 13:04 barryvdh

Sorry if I'm misunderstanding you but dompdf have already addressed the vulnerability but this package uses an older version of dompdf (v2.0.3) as a dependency. Can we update this package to use v2.0.7 of dompdf?

InfosecCloudNB avatar Apr 25 '24 13:04 InfosecCloudNB

Could be closed as completed in https://github.com/barryvdh/laravel-dompdf/commit/c96f90c97666cebec154ca1ffb67afed372114d8

dsturm avatar Apr 29 '24 12:04 dsturm

https://github.com/barryvdh/laravel-dompdf/pull/1027#issuecomment-1910558581

parallels999 avatar May 02 '24 13:05 parallels999

This package requires 2.0.7 or higher, so it is not problemen to just update to newer versions. For 3.x though, try the beta.

barryvdh avatar May 14 '24 09:05 barryvdh