Skip to content

chore(deps): upgrade firebase/php-jwt to ^7.0 to fix security advisory#28

Merged
darcyYe merged 1 commit intomasterfrom
yemq-audit-fix-20260224
Feb 24, 2026
Merged

chore(deps): upgrade firebase/php-jwt to ^7.0 to fix security advisory#28
darcyYe merged 1 commit intomasterfrom
yemq-audit-fix-20260224

Conversation

@darcyYe
Copy link
Copy Markdown
Contributor

@darcyYe darcyYe commented Feb 24, 2026
edited
Loading

Summary

  • Upgrade firebase/php-jwt from ^6.8 to ^7.0 in composer.json
  • Refresh composer.lock to firebase/php-jwt v7.0.2
  • Resolve Dependabot alert #2 (GHSA-2x45-7fc3-mxwq / CVE-2025-45769)

Security Context

Dependabot flagged firebase/php-jwt versions < 7.0.0 as vulnerable (high severity).
This PR upgrades the dependency to a patched version (>= 7.0.0).

Notes

firebase/php-jwt v7 introduces stricter key-strength validation.
For this SDK usage (OIDC/JWKS verification), no functional behavior changes are expected.

Testing

  • composer test → 42 tests passed
  • composer audit --format=plain → No security vulnerability advisories found

Checklist

  • .changeset
  • unit tests
  • integration tests
  • necessary TSDoc comments

@darcyYe
chore(deps): upgrade firebase/php-jwt to ^7.0 to fix security advisory
b7a40e1 
Bump firebase/php-jwt from ^6.8 to ^7.0 and update composer.lock to v7.0.2.

This resolves Dependabot alert #2 and the associated advisory:
- GHSA-2x45-7fc3-mxwq
- CVE-2025-45769

Validation:
- composer test (42 tests passed)
- composer audit --format=plain (no known vulnerabilities)
Copilot AI review requested due to automatic review settings February 24, 2026 03:01
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the firebase/php-jwt dependency from version ^6.8 to ^7.0 to address a high-severity security vulnerability (CVE-2025-45769). The upgrade resolves Dependabot alert #2 while maintaining compatibility with the existing codebase, as confirmed by passing tests.

Changes:

  • Upgraded firebase/php-jwt constraint from ^6.8 to ^7.0 in composer.json
  • Updated composer.lock with firebase/php-jwt v7.0.2 and its updated dependencies

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
composer.json Updated firebase/php-jwt dependency constraint to ^7.0
composer.lock Refreshed lock file with firebase/php-jwt v7.0.2, including updated PHP requirement (^8.0) and dev dependencies

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@darcyYe darcyYe enabled auto-merge (squash) February 24, 2026 03:09
@darcyYe darcyYe merged commit 2649867 into master Feb 24, 2026
10 checks passed
@darcyYe darcyYe deleted the yemq-audit-fix-20260224 branch February 24, 2026 03:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@charIeszhao charIeszhao charIeszhao approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@darcyYe @charIeszhao