Closed toby-griffiths closed 2 years ago
Fixes are fixes, not opt-in.
By using a library, you will likely never use 100% of a library, but if a version is marked as "affected by known security issues", you can either upgrade to a secure version, or not run tooling that complains about installed version being outdated.
Please just upgrade.
OK. I thought you might say that. Thanks for the quick reply.
I've just seen that CakePHP have released v3.10.3 which looks to address the CSRF vulnerability that was causing it to be listed in this package.
It looks like an opt-in fix, however, so not sure it's 'safe' now. How do we deal with this scenario?