Open SCIF opened 8 months ago
See:
I found next security issue but it seems like dompdf is not actually the source of the problem as they have a wide constraint allowing but not forcing the usage of affected version of phenx/php-svg-lib
. Does it mean GH advisory report has mentioned dompdf incorrect so your package reflected this wrong decision as well?
Sounds like it: I would bring it up there then, as this package only follows.
Here is one of the latest commits: https://github.com/Roave/SecurityAdvisories/commit/3c621b023ec96ba669e5510067b5d4fe4a1f51e0
The latest CVE is https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml which has a constraint
<2.0.4
.The message has a link to PR has nothing to do with dompdf.
Any idea?