Security issues with dependencies in ^2.0 package version

[alexandrmazur96]

It's not a direct issue with this package but caused by this library in our application.

A week ago, dependabot reported us for a security issue with dompdf/dompdf package:

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Our application runs on Laravel ^8.0, so the latest version of your package available for use in our application is 2.2.2.

This version of your library (2.2.2) uses barryvdh/laravel-dompdf version ^0.9.0, which in consequence uses dompdf/dompdf of version ^1 that have this security issue (dompdf/dompdf fixed it in version 2.0.3).barryvdh/laravel-dompdflibrary should be at least2.0.1` version.

So, is it possible to release 2.2.3 version of your library with updated barryvdh/laravel-dompdf?

[PovilasKorop]

@alexandrmazur96 could you make a Pull Request with this update?

[alexandrmazur96]

@PovilasKorop, here we go - https://github.com/LaravelDaily/laravel-invoices/pull/177

Please let me know if I did something wrong.

[mc0de]

laravel-invoices v2 is no longer maintained. please upgrade to laravel-invoices v3

this issue has been resolved in v3