Merge pull request #93 from TysonAndre/release-4.0.0

4.0.0: Forbid workspace/folder overrides for settings, update phan

NEWS.md

@@ -1,6 +1,16 @@
 vscode-php-phan NEWS
 ====================
 
+### 4.0.0 (2021-04-17)
+
+- Prevent the settings `phan.phpExecutablePath`, `phan.phanScriptPath`, `phan.analyzedProjectDirectory`, `phan.additionalCLIFlags`, and `phan.connectToServerWithStdio` from being overridden in VS Code workspace or folder settings. (i.e. configure them with `"scope": "machine"` for https://github.com/microsoft/vscode/blob/1.55.2/src/vs/workbench/api/common/configurationExtensionPoint.ts#L50-L55) (CVE-2021-31416)
+  (checking in connectToServerWithStdio in workplace settings is harmless but may break the workflows of other developers working on different machines.)
+  (vscode-php-phan is only intended for use with projects that a developer has manually trusted and enabled through analyzedProjectDirectory, although more convenient ways to securely trust php projects may be added in the future (e.g. using Memento). This is because phan allows executable paths or executable PHP code in third party plugins and InvokePHPNativeSyntaxCheckPlugin, as well as phan config files and due to certain CLI flags and config settings.)
+
+  The VS code extension version can be [downgraded to 3.0.0](https://code.visualstudio.com/updates/v1_30#_install-previous-versions) if you rely on those workspace settings.
+- Update Phan from 4.0.2 to 4.0.4
+- See [Phan's NEWS](https://github.com/phan/phan/blob/4.0.2/NEWS.md) for more details.
+
 ### 3.0.0 (2021-01-09)
 
 - Increase the minimum php-ast version to 1.0.7+ if php-ast is installed.

README.md

@@ -139,6 +139,16 @@ You may want to disable VS Code's built-in IntelliSense for PHP by setting `php.
 
 ## Release History
 
+### 4.0.0 (2021-04-17)
+
+- Prevent the settings `phan.phpExecutablePath`, `phan.phanScriptPath`, `phan.analyzedProjectDirectory`, `phan.additionalCLIFlags`, and `phan.connectToServerWithStdio` from being overridden in VS Code workspace or folder settings. (i.e. configure them with `"scope": "machine"` for https://github.com/microsoft/vscode/blob/1.55.2/src/vs/workbench/api/common/configurationExtensionPoint.ts#L50-L55) (CVE-2021-31416)
+  (checking in connectToServerWithStdio in workplace settings is harmless but may break the workflows of other developers working on different machines.)
+  (vscode-php-phan is only intended for use with projects that a developer has manually trusted and enabled through analyzedProjectDirectory, although more convenient ways to securely trust php projects may be added in the future (e.g. using Memento). This is because phan allows executable paths or executable PHP code in third party plugins and InvokePHPNativeSyntaxCheckPlugin, as well as phan config files and due to certain CLI flags and config settings.)
+
+  The VS code extension version can be [downgraded to 3.0.0](https://code.visualstudio.com/updates/v1_30#_install-previous-versions) if you rely on the ability to set those workspace settings.
+- Update Phan from 4.0.2 to 4.0.4
+- See [Phan's NEWS](https://github.com/phan/phan/blob/4.0.2/NEWS.md) for more details.
+
 ### 3.0.0 (2021-01-09)
 
 - Increase the minimum php-ast version to 1.0.7+ if php-ast is installed.

composer.json

@@ -10,6 +10,6 @@
     },
     "require": {
         "php": "^7.2.0",
-        "phan/phan": "4.0.2"
+        "phan/phan": "4.0.4"
     }
 }