how to update dependencies?

Question

how to update dependencies?

NeftaliAcosta opened this issue 2 years ago · 3 comments

Can you help me update the dependencies? Gitlab SAST show me an error and I need update to firebase/php-jwt ^6

Thank you.

Answer 1 · 2023-01-31T04:32:44.000Z

Not possibe. firebase/php-jwt:6.x made such changes it is impossible to use it without breaking BC. See discussion at: #217

I really do dislike CVE-2021-46743 because vulnerability scanners tag it has critical even though there is no vulnerability. Even the report itself says: "NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself."

Answer 2 · 2023-05-04T17:12:55.000Z

With firebase/php-jwt version 5.5 it is possible to mitigate the issue.

I had to update the interface of my library to allow for the workaround, by introducing a Secret object, which mimics what firebase/php-jwt did in v5.5. Maybe this will help.

I was also forced to bump the major version in order to mitigate the issue by-default, as they did in firebase/php-jwt version 6.

Answer 3 · 2023-06-29T07:36:19.000Z

@dakujem I had totally missed this. Thanks!

https://github.com/firebase/php-jwt/releases/tag/v5.5.0