Skip to content

Require PHPUnit 9.6.33+ (CVE-2026-24765)#3224

Merged
pfefferle merged 1 commit intotrunkfrom
update/composer-deps
Apr 24, 2026
Merged

Require PHPUnit 9.6.33+ (CVE-2026-24765)#3224
pfefferle merged 1 commit intotrunkfrom
update/composer-deps

Conversation

@pfefferle
Copy link
Copy Markdown
Member

@pfefferle pfefferle commented Apr 24, 2026

Proposed changes:

Tightens the phpunit/phpunit constraint from ^9 to ^9.6.33 so that every fresh composer install picks up the patched release. The old range resolves to 9.6.29 on a clean install, which has a high-severity advisory for unsafe deserialization in PHPT code coverage handling (CVE-2026-24765).

Dev-only dependency — no runtime impact on end users or production sites, only on developer and CI environments that run the test suite.

After the bump, composer audit reports no advisories. symfony/process also had a Medium advisory (CVE-2026-24739) but it is a transitive dep via jetpack-changelogger → symfony/console; the resolver already picks the patched 7.4.8 without any direct change needed.

Other information:

  • Have you written new tests for your changes, if applicable?

No new tests required — this is a dependency constraint update. The full suite continues to pass under the updated PHPUnit 9.6.34.

Testing instructions:

  1. Check out the branch.
  2. Run composer install — verify it resolves PHPUnit 9.6.33 or newer.
  3. Run composer audit — should report "No security vulnerability advisories found."
  4. Run npm run env-test — full suite should still pass.

Changelog entry

Included as .github/changelog/update-composer-phpunit-min, significance patch / type changed.

@pfefferle
Require PHPUnit 9.6.33+ to pick up CVE-2026-24765 fix
037d7e3 
The previous `^9` constraint left dev installs free to resolve to
PHPUnit 9.6.29, which has a known unsafe-deserialization advisory in
PHPT code coverage handling (CVE-2026-24765, high). Tighten the minimum
so every fresh `composer install` picks up the patched release.

Dev-only dependency; no runtime impact.
Copilot AI review requested due to automatic review settings April 24, 2026 19:33
@pfefferle pfefferle self-assigned this Apr 24, 2026
@pfefferle pfefferle requested a review from a team April 24, 2026 19:33
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the dev-only Composer constraint for phpunit/phpunit to ensure fresh installs pull in a patched PHPUnit release addressing CVE-2026-24765, and adds a changelogger entry documenting the tooling/security update.

Changes:

  • Update phpunit/phpunit in composer.json from ^9 to ^9.6.33.
  • Add a .github/changelog/ entry documenting the PHPUnit minimum version bump for a security fix.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
composer.json Tightens the PHPUnit dev dependency constraint to require the patched 9.6.33+ line.
.github/changelog/update-composer-phpunit-min Adds a changelogger entry describing the dev tooling security-motivated dependency bump.

@pfefferle pfefferle merged commit 893b232 into trunk Apr 24, 2026
14 checks passed
@pfefferle pfefferle deleted the update/composer-deps branch April 24, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pfefferle pfefferle

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pfefferle