laravel/framework 7.x gets rejected while 7.30.4 is considered safe

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily

MIT License

2.7k stars 105 forks source link

laravel/framework 7.x gets rejected while 7.30.4 is considered safe #73

Closed salhdev closed 3 years ago

salhdev commented 3 years ago

in FriendsOfPHP/security-advisories : laravel/framework "7.x": time: 2020-01-13 14:37:00 versions: [>=7.0.0', '<7.30.2']

Ocramius commented 3 years ago

Seems like all the 7.x series is considered insecure: https://github.com/FriendsOfPHP/security-advisories/commit/27a06f36b43d8d244b1631a012f34ef50d801798

The advisory on github states that <6.20.26 || >=8.0.0,<8.40.0 is affected: https://github.com/advisories/GHSA-4mg9-vhxq-vm7j

I suggest you raise the issue in upstream, if this has been patched in the 7.x series.

salhdev commented 3 years ago

Thanks, you are right, I was not looking at the latest file. But the issue raised in the latest advisory concerns only Microsoft SQL driver. Mysql and Postgress drivers are not concerned by the issue and should be safe.

Ocramius commented 3 years ago

The advisories reference laravel/framework, so you need to bring it up with the respective advisory authors: this repository simply tracks what is declared in those, and cannot be edited by hand.

salhdev commented 3 years ago

Got it, Thanks