phpunit <12 still marked as vulnerable

[uuf6429]

The fix in 7d0034b is not correct. PHPUnit <12 is still marked as vulnerable, when in fact only two specific versions were vulnerable (one in v12 and one in v13). See also: github/advisory-database#7430

AFAIK the advisory in Composer/Packagist looks more correct as it takes into consideration other vulnerabilities: https://packagist.org/packages/phpunit/phpunit/advisories

[xabbuh]

See also: github/advisory-database#7430

Once this PR is merged this database should update automatically shortly after IIRC.

[Ocramius]

What other sources could be crawled? 🤔

[uuf6429]

@xabbuh it just worries me that GitHub hasn't accepted a simple, clear and urgent fix in almost 12 hours. Anyone relying on this package has been unable to run CI (relying on PHPUnit <12) without hacks during this time frame.

What other sources could be crawled? 🤔

@Ocramius If I understand this right, maybe https://github.com/FriendsOfPHP/security-advisories (which is used by composer/packagist?)?

To be clear, I'm only annoyed about GitHub/GHSA... I totally get it that you might not want to tweak anything manually in the meantime.

[Ocramius]

@Ocramius If I understand this right, maybe https://github.com/FriendsOfPHP/security-advisories (which is used by composer/packagist?)?

already used here

[uuf6429]

Then I suppose there nothing to do here, just wait for GitHub to do their thing.