Skip to content

Composer Security audit failure: firebase/php-jwt #407

Description

@jennquen

SDK you're using (please complete the following information):

  • Version 3.0 but looks to still be relevant on 10.4

Describe the bug
Not loading due to security audit flag on firebase firebase/php-jwt version

  Problem 1
    - Root composer.json requires xeroapi/xero-php-oauth2 ^10.4 -> satisfiable by xeroapi/xero-php-oauth2[10.4.0].      
    - xeroapi/xero-php-oauth2 10.4.0 requires firebase/php-jwt ^6.0 -> found firebase/php-jwt[v6.0.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y2cr-5h3j-g3ys") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Tried forcing firebase/php-jwt ^7.0 but to no avail

  Problem 1
    - Root composer.json requires xeroapi/xero-php-oauth2 ^10.4.0 -> satisfiable by xeroapi/xero-php-oauth2[10.4.0].    
    - xeroapi/xero-php-oauth2 10.4.0 requires firebase/php-jwt ^6.0 -> found firebase/php-jwt[v6.0.0, ..., v6.11.1] but it conflicts with your root composer.json require (^7.0).

To Reproduce
Steps to reproduce the behavior:

  1. Go to any project with xeroapi/xero-php-oauth2
  2. delete composer.lock (or don't have one) or change xeroapi/xero-php-oauth2 version number in composer
  3. Run composer install or composer update
  4. See error

Expected behavior
System to load without needing to ignore a security advisory

Additional context
Ignoring the audit issue does work as a temporary measure

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions