Skip to content

CI: Fix old PHPUnit#5490

Merged
staabm merged 4 commits intophpstan:2.1.xfrom
staabm:fix22
Apr 18, 2026
Merged

CI: Fix old PHPUnit#5490
staabm merged 4 commits intophpstan:2.1.xfrom
staabm:fix22

Conversation

@staabm
Copy link
Copy Markdown
Contributor

@staabm staabm commented Apr 18, 2026
edited
Loading

recently CVEs for PHPUnit have been released, which are not fixed for old-phpunit.

The advisory is PKSA-5jz8-6tcw-pbk4, affected versions >=13.0.0,<=13.1.5|<=12.5.21. That covers every 9.x, 10.x, 11.x, and 12.x up to 12.5.21 - so no 9.x fix exists. Only 12.5.22+ / 13.1.6+ are safe.

see https://github.com/phpstan/phpstan-src/actions/runs/24599331208/job/71935200063?pr=5478

Running composer update phpbench/phpbench phpunit/phpunit brianium/paratest symfony/console symfony/process doctrine/instantiator --with-dependencies
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires phpunit/phpunit ^9.6, found phpunit/phpunit[9.6.0, ..., 9.6.34] but these were not loaded, because they are affected by security advisories ("PKSA-5jz8-6tcw-pbk4", "PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 2
    - Root composer.json requires brianium/paratest ^6.5 -> satisfiable by brianium/paratest[v6.5.0, ..., v6.11.1].
    - brianium/paratest[v6.9.1, ..., v6.11.1] require phpunit/phpunit ^9.6.4 -> found phpunit/phpunit[9.6.4, ..., 9.6.34] but these were not loaded, because they are affected by security advisories ("PKSA-5jz8-6tcw-pbk4", "PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

@staabm staabm changed the title COMPOSER_NO_SECURITY_BLOCKING:1 for tests with old PHPUnit COMPOSER_NO_SECURITY_BLOCKING=1 for tests with old PHPUnit Apr 18, 2026
@staabm staabm requested a review from VincentLanglet April 18, 2026 07:25
@ondrejmirtes
Copy link
Copy Markdown
Member

ondrejmirtes commented Apr 18, 2026

Why? What's failing?

@ondrejmirtes
Copy link
Copy Markdown
Member

ondrejmirtes commented Apr 18, 2026

I'd say it's very dangerous to "fix" it like that. I'd rather have an exception for these specific CVEs and make sure to remove it once it's fixed again.

@staabm
Copy link
Copy Markdown
Contributor Author

staabm commented Apr 18, 2026

see https://github.com/phpstan/phpstan-src/actions/runs/24599331208/job/71935200063?pr=5478

@staabm
Copy link
Copy Markdown
Contributor Author

staabm commented Apr 18, 2026

The advisory is PKSA-5jz8-6tcw-pbk4, affected versions >=13.0.0,<=13.1.5|<=12.5.21. That covers every 9.x, 10.x, 11.x, and 12.x up to 12.5.21 - so no 9.x fix exists. Only 12.5.22+ / 13.1.6+ are safe.

@staabm staabm changed the title COMPOSER_NO_SECURITY_BLOCKING=1 for tests with old PHPUnit CI: Fix old PHPUnit Apr 18, 2026
@staabm staabm requested a review from ondrejmirtes April 18, 2026 07:52
@staabm staabm merged commit 436f8f4 into phpstan:2.1.x Apr 18, 2026
651 of 653 checks passed
@staabm staabm deleted the fix22 branch April 18, 2026 08:57
@ondrejmirtes
Copy link
Copy Markdown
Member

ondrejmirtes commented Apr 18, 2026

And now revert it please.

context https://phpc.social/@sebastian/116424686237276260

staabm added a commit to staabm/phpstan-src that referenced this pull request Apr 18, 2026
@staabm
Revert "CI: Fix old PHPUnit (phpstan#5490)"
71583e2 
This reverts commit 436f8f4.
staabm added a commit that referenced this pull request Apr 18, 2026
@staabm
Revert "CI: Fix old PHPUnit (#5490)" (#5493)
beab3d7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@VincentLanglet VincentLanglet Awaiting requested review from VincentLanglet

@ondrejmirtes ondrejmirtes Awaiting requested review from ondrejmirtes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@staabm @ondrejmirtes