Closed gravelld closed 9 months ago
The current version requires firebase/php-jwt:^6.0
, so I'm not sure what the concern is here?
https://github.com/googleapis/google-api-php-client/blob/main/composer.json#L12
(this was done 8 months ago - https://github.com/googleapis/google-api-php-client/pull/2431)
GHSA-8xf4-w7qw-pjjw is a vulnerability affecting all firebase/php-jwt versions before 6.0.0. Currently the
composer.json
allows versions 2.x.x-5.x.x.Clearly you'd like to retain as wide a support as possible, but the above declaration in composer.json means those of us who have to undergo security audits can't use the package.
What is the best approach here?