hayhurst
commented
1 year ago Looks like it's updated in the guzzle library already https://github.com/guzzle/guzzle/blob/7.5/composer.json
Closed hayhurst closed 2 months ago
hayhurst
commented
1 year ago Looks like it's updated in the guzzle library already https://github.com/guzzle/guzzle/blob/7.5/composer.json
hayhurst
commented
7 months ago Bump :(
wavedeck
commented
5 months ago Took the time to update guzzlehttp to the latest version (7.8) and refactored calls to get_config in the tests since it’s deprecated and will be removed in guzzlehttp 8.0
can confirm it works with no problems and doesn’t need a bump in php version requirements.
@sun @dominic-ks checkout my fork here and maybe consider merging if you also want to include the refactor of get_config
Edit: the specific commit for the refactor is: https://github.com/usefulteam/jwt-auth/commit/48937cf7a3356ca7ac42ccf3806251fa4b0d7085
wavedeck
commented
5 months ago @hayhurst since guzzlehttp is only used for unit testing, the vulnerability does not have an impact to the plugin security in itself.
For the mentioned exploit to be possible, an attacker would have to have access to the developers computer. But if that were the case, you’d have a completely different set of problems and exploiting guzzlehttp will be your absolute least of concerns
sun
commented
5 months ago @wavedeck Sounds great. :) Would you like to create a PR that contains the necessary changes?
Just make sure that your branch of the PR really only contains the minimum necessary changes to address the issue.
Could this be looked into?