jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon usefulteam

Dependabot alert on use of `guzzlehttp/psr7`

Open hayhurst opened this issue 1 year ago • 6 comments

image

Could this be looked into?

hayhurst avatar May 02 '23 13:05 hayhurst

Looks like it's updated in the guzzle library already https://github.com/guzzle/guzzle/blob/7.5/composer.json

hayhurst avatar May 02 '23 13:05 hayhurst

Bump :(

hayhurst avatar Dec 02 '23 01:12 hayhurst

Took the time to update guzzlehttp to the latest version (7.8) and refactored calls to get_config in the tests since it’s deprecated and will be removed in guzzlehttp 8.0

can confirm it works with no problems and doesn’t need a bump in php version requirements.

@sun @dominic-ks checkout my fork here and maybe consider merging if you also want to include the refactor of get_config

Edit: the specific commit for the refactor is: https://github.com/usefulteam/jwt-auth/commit/48937cf7a3356ca7ac42ccf3806251fa4b0d7085

wavedeck avatar Jan 24 '24 18:01 wavedeck

@hayhurst since guzzlehttp is only used for unit testing, the vulnerability does not have an impact to the plugin security in itself.

For the mentioned exploit to be possible, an attacker would have to have access to the developers computer. But if that were the case, you’d have a completely different set of problems and exploiting guzzlehttp will be your absolute least of concerns

wavedeck avatar Jan 24 '24 18:01 wavedeck

@wavedeck Sounds great. :) Would you like to create a PR that contains the necessary changes?

Just make sure that your branch of the PR really only contains the minimum necessary changes to address the issue.

sun avatar Jan 24 '24 19:01 sun

@sun this PR should close that issue (and also prevent a possibly overlooked raise in the required PHP version)

wavedeck avatar Jan 24 '24 22:01 wavedeck