Skip to content
This repository has been archived by the owner on Sep 11, 2024. It is now read-only.

how to update dependencies? #238

Open
NeftaliAcosta opened this issue Jan 31, 2023 · 3 comments
Open

how to update dependencies? #238

NeftaliAcosta opened this issue Jan 31, 2023 · 3 comments

Comments

@NeftaliAcosta
Copy link

Can you help me update the dependencies? Gitlab SAST show me an error and I need update to firebase/php-jwt ^6

image

Thank you.
@tuupola
Copy link
Owner

tuupola commented Jan 31, 2023
edited
Loading

Not possibe. firebase/php-jwt:6.x made such changes it is impossible to use it without breaking BC. See discussion at: #217

I really do dislike CVE-2021-46743 because vulnerability scanners tag it has critical even though there is no vulnerability. Even the report itself says: "NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself."

@dakujem
Copy link
Contributor

dakujem commented May 4, 2023

With firebase/php-jwt version 5.5 it is possible to mitigate the issue.

I had to update the interface of my library to allow for the workaround, by introducing a Secret object, which mimics what firebase/php-jwt did in v5.5. Maybe this will help.

I was also forced to bump the major version in order to mitigate the issue by-default, as they did in firebase/php-jwt version 6.

@tuupola
Copy link
Owner

tuupola commented Jun 29, 2023

@dakujem I had totally missed this. Thanks!

https://github.com/firebase/php-jwt/releases/tag/v5.5.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tuupola @dakujem @NeftaliAcosta