Composer dependency affected by security advisories

[leander-hass]

Hey there,
I just wanted to inform you guys that I have had trouble updating my project.
Every time I run composer update I get the following error:

Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires mistralys/text-diff ^2.0.2 -> satisfiable by mistralys/text-diff[2.0.2].
    - mistralys/application-utils[1.2.5, ..., 1.3.1] require geshi/geshi 1.0.9.1 -> found geshi/geshi[v1.0.9.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-ns3q-qtk3-d35r") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
    - mistralys/application-utils[1.4.0, ..., 1.9.1, 2.0.0, ..., 2.2.11] require geshi/geshi >=1.0.9.1 -> found geshi/geshi[v1.0.9.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-ns3q-qtk3-d35r") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
    - mistralys/application-utils[2.3.0, ..., 2.5.0] require geshi/geshi >=1.0 -> found geshi/geshi[v1.0.8.12, v1.0.8.13, v1.0.9.0, v1.0.9.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-ns3q-qtk3-d35r") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
    - mistralys/application-utils-core[1.0.0, ..., 1.2.2, 2.2.3, ..., 2.4.1] require geshi/geshi >=1.0 -> found geshi/geshi[v1.0.8.12, v1.0.8.13, v1.0.9.0, v1.0.9.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-ns3q-qtk3-d35r") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
    - mistralys/application-utils[3.0.0, ..., 3.0.3] require mistralys/application-utils-core >=1.0.1 -> satisfiable by mistralys/application-utils-core[1.0.1, ..., 1.2.2, 2.2.3, ..., 2.4.1].
    - mistralys/application-utils[3.0.4, ..., 3.0.5] require mistralys/application-utils-core >=1.0.3 -> satisfiable by mistralys/application-utils-core[1.0.3, ..., 1.2.2, 2.2.3, ..., 2.4.1].
    - mistralys/application-utils[3.1.0, ..., 3.1.10] require mistralys/application-utils-core >=2.2.3 -> satisfiable by mistralys/application-utils-core[2.2.3, ..., 2.4.1].
    - mistralys/text-diff 2.0.2 requires mistralys/application-utils >=1.2.5 -> satisfiable by mistralys/application-utils[1.2.5, ..., 1.9.1, 2.0.0, ..., 2.5.0, 3.0.0, ..., 3.1.10].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Minimal composer.json to reproduce:

{
    "config": {
        "preferred-install": {
            "*": "dist"
        }
    },
    "require": {
        "php": "^8.4",
        "mistralys/text-diff": "^2.0.2"
    }
}

It seems like the fix has to be done in one of the dependencies (I don't know if this has already happened) and then, bump the used version number in this project.

[Mistralys]

Hi @leander-hass, thanks a lot for the information. I'll check it out in the coming days as time allows.

[Mistralys]

Hi @leander-hass, it turns out that this is not so trivial to fix correctly. I have to swap out Geshi with a better alternative, and that will take some time. The project is no longer maintained, and any alternatives will require quite a bit of refactoring.

The Temporary Workaround

In the meantime, there is a workaround. The vulnerability affects a feature that is not used in text/diff. I can't suppress the security warning from the package directly, but you can on your end.

The vulnerability specifically resides in Geshi's /contrib/cssgen.php. This script is used to generate custom CSS files for GeSHi styles based on URL parameters.

To mitigate the risk, you can ensure that the contrib folder gets deleted whenever you install your dependencies.

1. Utility script for folder deletion

Create a file named scripts/secure-geshi.php:

NOTE: Disclaimer, I did not test this. It's AI-generated.

<?php
$contribDir = __DIR__ . '/../vendor/geshi/geshi/contrib';

if (is_dir($contribDir)) {
    $it = new RecursiveDirectoryIterator($contribDir, RecursiveDirectoryIterator::SKIP_DOTS);
    $files = new RecursiveIteratorIterator($it, RecursiveIteratorIterator::CHILD_FIRST);
    foreach($files as $file) {
        if ($file->isDir()){
            rmdir($file->getRealPath());
        } else {
            unlink($file->getRealPath());
        }
    }
    rmdir($contribDir);
    echo "Security Patch: GeSHi contrib directory has been removed.\n";
}

2. Automated deletion

Add these script hooks in composer.json:

{
    "scripts": {
        "post-install-cmd": [
            "php scripts/secure-geshi.php"
        ],
        "post-update-cmd": [
            "php scripts/secure-geshi.php"
        ]
    }
}

3. Ignore The Warning

Add this in composer.json:

{
    "config": {
        "audit": {
            "ignore": {
                "CVE-2025-2123": "The vulnerable contrib/cssgen.php file has been manually removed or blocked at the server level.",
                "GHSA-pr6q-g5gv-qgr7": "Mitigated: Vulnerable helper script is not exposed to the web."
            }
        }
    }
}

[leander-hass]

Ok, thank you very much.
I respect your effort, even though the project is no longer maintained.
I will close this issue, as this satisfies my question.

[Mistralys]

Hi @leander-hass, just to clarify: this project, text-diff, is still maintained. The dependency project, geshi, is not maintained anymore. I will definitely update this package in the near future to fix the issue.

[parktrip]

I also got this warning and composer update does not pull your latest changes. I think it is because you didn't tag your latest changes and last version is still 2.0.2. Could you tag it when you have some time ? BR

[Mistralys]

Hi @parktrip, a new release is in the works - I'll comment here when it's live :)

[Mistralys]

FYI: Version 2.1.0 now fixes the issues and more.

Release notes: https://github.com/Mistralys/text-diff/releases/tag/2.1.0

[parktrip]

thanks a lot