Skip to content

chore(deps): bump pinned dependencies to clear security advisories#570

Merged
smarcet merged 1 commit into
mainfrom
chore/security-dependency-bump
Jul 8, 2026
Merged

chore(deps): bump pinned dependencies to clear security advisories#570
smarcet merged 1 commit into
mainfrom
chore/security-dependency-bump

Conversation

@smarcet

@smarcet smarcet commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

ref: https://app.clickup.com/t/9014802374/86bar3n48
Resolve 32 of 33 open Dependabot alerts (8/8 high) by updating:

  • laravel/framework 12.1.1 -> 12.62.0
  • guzzlehttp/guzzle 7.8.2 -> 7.12.1
  • vladimir-yuldashev/laravel-queue-rabbitmq 14.2.0 -> 14.5.3 (14.2.0 Consumer::stop() is incompatible with the new Illuminate\Queue\Worker::stop() signature in 12.62)

Also refresh transitive packages within existing constraints (aws-sdk-php, google/protobuf, phpseclib, phpunit, psy/psysh, symfony/yaml, symfony/cache, symfony/dom-crawler, jmespath).

Remaining advisory: firebase/php-jwt (low, CVE-2025-45769) — deliberately excluded, requires the 6.x -> 7.x major upgrade in the token validation path and will be handled separately.

Full CI test matrix verified locally against fresh DBs: oauth2 (1060 tests), Order/RSVP services, OTEL, unit suites — green.

Summary by CodeRabbit

  • Chores
    • Updated core application dependencies to newer versions, including the web framework, HTTP client, and queue integration.
    • These updates may improve stability, compatibility, and overall runtime reliability.

Resolve 32 of 33 open Dependabot alerts (8/8 high) by updating:

- laravel/framework 12.1.1 -> 12.62.0
- guzzlehttp/guzzle 7.8.2 -> 7.12.1
- vladimir-yuldashev/laravel-queue-rabbitmq 14.2.0 -> 14.5.3
  (14.2.0 Consumer::stop() is incompatible with the new
  Illuminate\Queue\Worker::stop() signature in 12.62)

Also refresh transitive packages within existing constraints
(aws-sdk-php, google/protobuf, phpseclib, phpunit, psy/psysh,
symfony/yaml, symfony/cache, symfony/dom-crawler, jmespath).

Remaining advisory: firebase/php-jwt (low, CVE-2025-45769) —
deliberately excluded, requires the 6.x -> 7.x major upgrade in
the token validation path and will be handled separately.

Full CI test matrix verified locally against fresh DBs:
oauth2 (1060 tests), Order/RSVP services, OTEL, unit suites — green.
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bae2e67f-1255-4eab-b212-77763873ffba

📥 Commits

Reviewing files that changed from the base of the PR and between c1d5eef and 6a85cc7.

⛔ Files ignored due to path filters (1)
  • composer.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • composer.json

📝 Walkthrough

Walkthrough

This PR updates version constraints in composer.json for three dependencies: guzzlehttp/guzzle (7.8.2 → 7.12.1), laravel/framework (12.1.1 → 12.62.0), and vladimir-yuldashev/laravel-queue-rabbitmq (v14.2.0 → v14.5.3).

Changes

Composer dependency updates

Layer / File(s) Summary
Bump package version constraints
composer.json
Updates required versions for guzzlehttp/guzzle, laravel/framework, and vladimir-yuldashev/laravel-queue-rabbitmq.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related Issues: None specified.

Related PRs: None specified.

Suggested labels: dependencies

Suggested reviewers: None specified.

Poem

A hop, a bump, a version raised,
Guzzle and Laravel newly phased,
Rabbit queues now spry and quick,
A tiny diff, a tidy trick,
This rabbit's cheers for composer's praised! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency bumps and the security-advisory motivation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/security-dependency-bump

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@smarcet smarcet requested a review from romanetar July 7, 2026 13:07
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/summit-api/openapi/pr-570/

This page is automatically updated on each push to this PR.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates pinned Composer dependencies (notably Laravel, Guzzle, and laravel-queue-rabbitmq) to address Dependabot security advisories and refresh transitive packages within existing constraints.

Changes:

  • Bumped laravel/framework to 12.62.0, guzzlehttp/guzzle to 7.12.1, and vladimir-yuldashev/laravel-queue-rabbitmq to v14.5.3.
  • Refreshed a broad set of transitive dependencies in composer.lock (AWS SDK, Symfony components, PHPUnit stack, etc.).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
composer.json Pins updated top-level dependency versions for Laravel, Guzzle, and RabbitMQ queue driver.
composer.lock Locks updated transitive dependency graph consistent with the new pinned versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread composer.json

@romanetar romanetar left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smarcet smarcet merged commit 988a6d3 into main Jul 8, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants