Skip to content

Package affected by PHP-JWT vulnerability #454

New issue
New issue
Open
Open
Package affected by PHP-JWT vulnerability#454
@ryanmitchell

Description

@ryanmitchell
ryanmitchell
opened on Feb 18, 2026

Issue summary

The package cannot be installed without composer warnings due to the vulnerability on PHP-JWT:
GHSA-2x45-7fc3-mxwq

 Problem 1
    - Root composer.json requires shopify/shopify-api ^6.1 -> satisfiable by shopify/shopify-api[v6.1.0].
    - shopify/shopify-api v6.1.0 requires firebase/php-jwt ^5.2 || ^6.2 -> found firebase/php-jwt[v5.2.0, ..., v5.5.1, v6.2.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories

Expected behavior

Package should be installable.

Actual behavior

Package cant be installed.

Please update the package to use v7.0 of firebase/php-jwt so that the warning no longer appears.

I appreciate you can hide these warnings, but an official package shouldnt be affected by a 3rd party vulnerability.

Checklist

  • I have described this issue in a way that is actionable (if possible)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions