chore(deps): bump zendframework/zendframework from 2.1.0 to 2.5.3 in /test/acceptance/workspaces/composer-app

[dependabot[bot]]

Bumps zendframework/zendframework from 2.1.0 to 2.5.3.

Release notes

Sourced from zendframework/zendframework's releases.

Zend Framework 2.5.3

• #7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

Zend Framework 2.5.2

SECURITY UPDATES

• ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Zend Framework 2.5.1

• 7571: makes zend-ldap an optional dependency instead of a hard dependency, as zend-ldap has a hard requirement on ext-ldap, blocking installation for many users. If you use zend-ldap, you will need to call composer require zendframework/zend-ldap after upgrading to 2.5.1.

Zend Framework 2.5.0

• 7072: Split Framework
• 7095: Drop PHP 5.3 support
• [7119: #7095 - bumping minimum PHP version requirement to 5.4.0](zendframework/zf2#7119)
• 7542: Make ZF2 a meta-package

Zend Framework 2.4.13

• Restores php 5.3 compat in Zend\Mail\Header\HeaderValue.

Zend Framework 2.4.12

• Fix signature issue with AbstractContainer::offsetGet

Zend Framework 2.4.11

SECURITY UPDATES

• ZF2016-04: zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of From addresses containing escape sequences were present. This release adds additional validation and filtering of these addresses to prevent the vulnerability.

Zend Framework 2.4.10

• Fix HeaderValue throwing an exception on legal characters

Zend Framework 2.4.9

SECURITY UPDATES

• ZF2015-09: Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.

• ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

  Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

  $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);
  

  where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

  (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

Zend Framework 2.4.8

• zend-validator/25: validate against DateTimeImmutable instead of DateTimeInterface
• zend-validator/35: treat 0.0 as non-empty, restoring pre-2.4 behavior
• zend-inputfilter/26: deprecate "magic" logic for auto-attaching NonEmpty validators in favor of explicit attachment

... (truncated)

Changelog

Sourced from zendframework/zendframework's changelog.

2.5.3 (2016-01-27)

• #7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

2.5.2 (2015-08-03)

SECURITY UPDATES

• ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

2.5.1 (2015-06-04)

• #7571 makes zend-ldap an optional dependency instead of a hard dependency, as zend-ldap has a hard requirement on ext-ldap, blocking installation for many users. If you use zend-ldap, you will need to call composer require zendframework/zend-ldap after upgrading to 2.5.1.

2.5.0 (2015-06-03)

• 7072: Split Framework
• 7095: Drop PHP 5.3 support
• [7119: #7095 - bumping minimum PHP version requirement to 5.4.0](zendframework/zf2#7119)
• [7542: [WIP\ Make ZF2 a meta-package](zendframework/zf2#7542)

2.4.2 (2015-05-11)

• 7503: Mail header - boundary issue (related to ZF2015-04)
• [7506: [mail\ Fix set UTF-8 values to headers. Fix #7501](zendframework/zf2#7506)
• [7507: [http\ Allow serialize any character on cookies](zendframework/zf2#7507)
• [7510: [mail/mime\ Fix content-type has invalid characters in field value. Fix #7503](zendframework/zf2#7510)
• 7512: \Zend\Ldap\Attribute::valueFromLdap catching wrong exception
• [7513: [ldap\ Fix exceptions while parsing are not captured.](zendframework/zf2#7513)
• [7514: [#7503\ Pass the \r\n sequence to Part::getHeadersAsArray()](zendframework/zf2#7514)

2.4.1 (2015-05-07)

• 7361: Missing parameter annotation in PHPDoc in Zend\Http\PhpEnvironment\Request
• 7376: Fixes DocBlock for BasePath helper in PhpRenderer
• 7378: Change year on comment
• 7380: Remove unused code
• 7383: Fixes typos
• 7391: update composer's branch-alias
• 7392: improvements for Zend\InputFilter

... (truncated)

Commits

• aeb432d Merge branch 'feature/looser-constraints'
• 83f3d17 Added CHANGELOG for #7665
• c2300cc Updated dependencies to ^2.5
• 0993994 Merge branch 'release-2.5'
• 6babe86 Update zendxml to ^1.0.1
• 926de5b Merge pull request #7612 from radarhere/patch-1
• efb17a2 Fixed typo
• 096d3df Merge pull request #7576 from campersau/patch-1
• cc5cea4 update latest CHANGELOG.md with correct zf version
• 72a9689 Merge branch 'version/bump'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Watemlifts/Watemlifts../network/alerts).