Incorrect Package Attribution in GHSA-7rvp-xqj7-rxf2

[M-Aditya-shankar]

For this GHSA-7rvp-xqj7-rxf2:

The versioning described in the advisory actually corresponds to FUEL CMS, not to the codeigniter/framework package itself.

Also, FUEL CMS is not a registered package on Packagist, and it is typically installed via direct download. This could potentially lead to confusion or false positives in automated security tools that rely on package-based attribution.

Kindly consider updating the advisory to reflect the accurate source of the vulnerability.

[shelbyc]

Hi @M-Aditya-shankar, thank you for letting us know about GHSA-7rvp-xqj7-rxf2 not corresponding to a package in a supported ecosystem. The advisory has been withdrawn.