Open nadavkav opened 1 year ago
Thanks @nadavkav - we're slightly more motivated when upstream contains security issues or when upstream fixes something we need - otherwise we tend up update the lib in an ad-hoc manner - there is a readme file here if you want to give it a go and send a PR? https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/UPGRADE.md
Hi @danmarsden , thank you, I will upgrade locally and send a PR.
I suspect that Exceptions may not be thrown as anticipated based on this report from the PHP 8.0 PHPCS compliance checker. moodle-auth_saml2/.extlib/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Exception/RuntimeException.php Line 12: The interface Throwable cannot be implemented directly, extend the Exception class instead.
(This is not a PHP8 thing)
Some of that looks like auto scan info that might trigger the same response on latest simplesamlphp lib to me... have they run snyk on latest simplesamlphp on its own?
I agree with @danmarsden that some of the warning are not serious as they seem to be, as it is coming from a static vulnerabilities code scan (which I am also running automatically for every MR) that has its limitations. BUT still, it is better to have an updated simplesamlphp version, as much as we can, which includes fixes for all the issues that are reported on their upstream repo: https://github.com/simplesamlphp/simplesamlphp Which is at the moment set to 2.0.5
yeah - definitely worth updating if someone has the time to do this - pull requests always welcome! :-)
There are new upstream updates for the simplesamlphp lib. Please see if you can get a new version for /.extlib/simplesamlphp.