Dependency on JWT <6.x means security vulnerabilities cannot be avoided

googleapis / google-api-php-client

A PHP client library for accessing Google APIs

http://googleapis.github.io/google-api-php-client/

Apache License 2.0

9.32k stars 3.52k forks source link

Dependency on JWT <6.x means security vulnerabilities cannot be avoided #2538

Closed gravelld closed 9 months ago

gravelld commented 9 months ago

GHSA-8xf4-w7qw-pjjw is a vulnerability affecting all firebase/php-jwt versions before 6.0.0. Currently the composer.json allows versions 2.x.x-5.x.x.

"firebase/php-jwt": "~2.0||~3.0||~4.0||~5.0||~6.0"

Clearly you'd like to retain as wide a support as possible, but the above declaration in composer.json means those of us who have to undergo security audits can't use the package.

What is the best approach here?

bshaffer commented 9 months ago

The current version requires firebase/php-jwt:^6.0, so I'm not sure what the concern is here?

https://github.com/googleapis/google-api-php-client/blob/main/composer.json#L12

bshaffer commented 9 months ago

(this was done 8 months ago - https://github.com/googleapis/google-api-php-client/pull/2431)