CakePHP 3.10.3 release - Does this fix the security issue reported

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily

MIT License

2.7k stars 105 forks source link

CakePHP 3.10.3 release - Does this fix the security issue reported #97

Closed toby-griffiths closed 2 years ago

toby-griffiths commented 2 years ago

I've just seen that CakePHP have released v3.10.3 which looks to address the CSRF vulnerability that was causing it to be listed in this package.

It looks like an opt-in fix, however, so not sure it's 'safe' now. How do we deal with this scenario?

Ocramius commented 2 years ago

Fixes are fixes, not opt-in.

By using a library, you will likely never use 100% of a library, but if a version is marked as "affected by known security issues", you can either upgrade to a secure version, or not run tooling that complains about installed version being outdated.

Please just upgrade.

toby-griffiths commented 2 years ago

OK. I thought you might say that. Thanks for the quick reply.