chore(deps): bump pinned dependencies to clear security advisories#570
Conversation
Resolve 32 of 33 open Dependabot alerts (8/8 high) by updating: - laravel/framework 12.1.1 -> 12.62.0 - guzzlehttp/guzzle 7.8.2 -> 7.12.1 - vladimir-yuldashev/laravel-queue-rabbitmq 14.2.0 -> 14.5.3 (14.2.0 Consumer::stop() is incompatible with the new Illuminate\Queue\Worker::stop() signature in 12.62) Also refresh transitive packages within existing constraints (aws-sdk-php, google/protobuf, phpseclib, phpunit, psy/psysh, symfony/yaml, symfony/cache, symfony/dom-crawler, jmespath). Remaining advisory: firebase/php-jwt (low, CVE-2025-45769) — deliberately excluded, requires the 6.x -> 7.x major upgrade in the token validation path and will be handled separately. Full CI test matrix verified locally against fresh DBs: oauth2 (1060 tests), Order/RSVP services, OTEL, unit suites — green.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR updates version constraints in composer.json for three dependencies: guzzlehttp/guzzle (7.8.2 → 7.12.1), laravel/framework (12.1.1 → 12.62.0), and vladimir-yuldashev/laravel-queue-rabbitmq (v14.2.0 → v14.5.3). ChangesComposer dependency updates
Estimated code review effort: 1 (Trivial) | ~3 minutes Related Issues: None specified. Related PRs: None specified. Suggested labels: dependencies Suggested reviewers: None specified. Poem A hop, a bump, a version raised, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
📘 OpenAPI / Swagger preview ➡️ https://OpenStackweb.github.io/summit-api/openapi/pr-570/ This page is automatically updated on each push to this PR. |
There was a problem hiding this comment.
Pull request overview
Updates pinned Composer dependencies (notably Laravel, Guzzle, and laravel-queue-rabbitmq) to address Dependabot security advisories and refresh transitive packages within existing constraints.
Changes:
- Bumped
laravel/frameworkto12.62.0,guzzlehttp/guzzleto7.12.1, andvladimir-yuldashev/laravel-queue-rabbitmqtov14.5.3. - Refreshed a broad set of transitive dependencies in
composer.lock(AWS SDK, Symfony components, PHPUnit stack, etc.).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| composer.json | Pins updated top-level dependency versions for Laravel, Guzzle, and RabbitMQ queue driver. |
| composer.lock | Locks updated transitive dependency graph consistent with the new pinned versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ref: https://app.clickup.com/t/9014802374/86bar3n48
Resolve 32 of 33 open Dependabot alerts (8/8 high) by updating:
Also refresh transitive packages within existing constraints (aws-sdk-php, google/protobuf, phpseclib, phpunit, psy/psysh, symfony/yaml, symfony/cache, symfony/dom-crawler, jmespath).
Remaining advisory: firebase/php-jwt (low, CVE-2025-45769) — deliberately excluded, requires the 6.x -> 7.x major upgrade in the token validation path and will be handled separately.
Full CI test matrix verified locally against fresh DBs: oauth2 (1060 tests), Order/RSVP services, OTEL, unit suites — green.
Summary by CodeRabbit