search

bugsnag / bugsnag-php

BugSnag error monitoring and crash reporting tool for PHP apps
https://docs.bugsnag.com/platforms/php
MIT License
554 stars 77 forks source link

Downstream Vulnerability - Guzzle <1.8.4 >=2.0.0, <2.1.1 #645

Closed jamessampford closed 2 years ago

jamessampford commented 2 years ago

Describe the bug

It seems that Guzzle has security vulnerabilities for <1.8.4 >=2.0.0, <2.1.1 [https://security.snyk.io/vuln/SNYK-PHP-GUZZLEHTTPPSR7-2431148]

Resolution

This can be circumvented by upping the version is 1.8.4/5 or 2.1.1+

GrahamCampbell commented 2 years ago

No changes are required in this repo. Composer will already get you the latest if you ask it. If a change were to be made here and you were refusing to upgrade the psr7 dependency, all that would happen is composer would keep using the older version of this library in order to satisfy that constraint.

GrahamCampbell commented 2 years ago

1.8.4/5 or 2.1.1+

The vulnerability was fixed in 1.8.4, 2.1.1 and 2.2.0, however those versions contained a bug introduced by the fix, which prompted the release of 1.8.5, 2.1.2 and 2.2.1.

jamessampford commented 2 years ago

Ok, just thought better to change the dev requirement from ^1.3 to ^1.8.5