Vulnerable dependency "nategood/httpful"

[derrabus]

👋🏻 Hello!

This library requires the library nategood/httpful which has a known vulnerability reported here.

The issue has been addressed upstream and a version 1.0.0 of the package has been released in the meantime. But the installation of the 1.0.0 release is blocked by your library.

# composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | nategood/httpful                                                                 |
| Severity          |                                                                                  |
| CVE               | NO CVE                                                                           |
| Title             | Insecure HTTPS Connections due to Missing Default Certificate Validation         |
| URL               | https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb                  |
| Affected versions | <0.2.0|>=0.2.0,<0.3.0|>=0.3.0,<1.0.0                                             |
| Reported at       | 2024-05-01T00:00:00+00:00                                                        |
| Advisory ID       | PKSA-4dtf-ym9h-t41j                                                              |
+-------------------+----------------------------------------------------------------------------------+

# composer why-not nategood/httpful 1.0.0
asana/asana v1.0.6 requires nategood/httpful (~0.2)

[jshwhitlow]

+1 - We need to composer update to the latest wordpress and this package was stopping us from updating due to the above reason. We are switching away from using this library until this problem is fixed.

[mahouha]

Hi @jv-asana , any updates about this securtiy issue please ?