Security check fail with "padraic/humbug_get_contents" old version 1.0.4

[charlesc-ai]

Hello, I have noticed an issue recently : The package "padraic/phar-updater" requires "padraic/humbug_get_contents" version 1.0.4 but not newest version 1.1.2, which create failure in security check.

Are you going to update package "padraic/phar-updater" for solving this issue ?

Thanks in advance.

---

Symfony Security Check Report

// Checked file: /my_project/apache/volume/composer.lock

[ERROR] 1 packages have known vulnerabilities.

padraic/humbug_get_contents (1.0.4)

• CVE-2016-5385: HTTP Proxy header vulnerability https://github.com/humbug/file_get_contents/releases/tag/1.1.2

  ! [NOTE] This checker can only detect vulnerabilities that are referenced in
  ! the SensioLabs security advisories database. Execute this command
  ! regularly to check the newly discovered vulnerabilities.

Loaded config default from ".php_cs.dist".

[theofidry]

Hi, the package should be permissive enough to allow you to upgrade to humbug/file_get_contents 1.1.2 as the constraint is ^1.0.

So what you should do here is to update your dependencies. You can force Composer to not install those vulnerable dependencies by requiring Roave SecurityAdvisories.

[pjcdawkins]

Hi, the package should be permissive enough to allow you to upgrade to humbug/file_get_contents1.1.2 as the constraint is ^1.0.

GitHub might think that, but Packagist doesn't:

@theofidry I think you might need to click "Update" on Packagist, at least? until it shows the right constraint. (Maybe the 1.0.4 tag was force-pushed on this repo?)

[theofidry]

Erf, indeed looks like there is quite a difference between the last release and master. I'll try to update that ASAP

[theofidry]

Done. Please upgrade to 1.0.5.

However keep in mind that if you are stuck on PHP 5.3, this won't work. Indeed newer versions of padraic/file_get_contents are not compatible with 5.3.

[pjcdawkins]

Thanks @theofidry!

[charlesc-ai]

@theofidry Thanks, it works ! Just need to update both packages by "composer require padraic/phar-updater" and "composer require padraic/file_get_contents". Have a nice day !