Skip to content

fix(deps): security bumps for 12 Dependabot alerts#2344

Merged
krishana7911 merged 3 commits into
developfrom
deps/security-fixes-2026-06-30
Jun 30, 2026
Merged

fix(deps): security bumps for 12 Dependabot alerts#2344
krishana7911 merged 3 commits into
developfrom
deps/security-fixes-2026-06-30

Conversation

@rtBot

@rtBot rtBot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Lockfile-only security bumps addressing 12 open Dependabot alerts (10 composer dev-dependencies in tests/codeception/composer.lock, 2 npm dev-dependencies in package-lock.json). No production runtime code or manifest constraints changed; all bumps stay within the same major version.

Alerts fixed (12)

Package Old → New Alert Severity GHSA / CVE Ecosystem
composer/composer 2.9.4 → 2.9.8 #138 HIGH GHSA-f9f8-rm49-7jv2 / CVE-2026-45793 composer
tmp 0.2.5 → 0.2.7 #144 HIGH GHSA-ph9p-34f9-6g65 / CVE-2026-44705 npm
guzzlehttp/guzzle 7.10.0 → 7.12.1 #148 medium GHSA-cwxw-98qj-8qjx / CVE-2026-55767 composer
guzzlehttp/guzzle 7.10.0 → 7.12.1 #147 medium GHSA-wpwq-4j6v-78m3 / CVE-2026-55568 composer
guzzlehttp/psr7 2.8.0 → 2.12.1 #149 medium GHSA-vm85-hxw5-5432 / CVE-2026-55766 composer
guzzlehttp/psr7 2.8.0 → 2.12.1 #146 medium GHSA-hq7v-mx3g-29hw / CVE-2026-49214 composer
guzzlehttp/psr7 2.8.0 → 2.12.1 #145 medium GHSA-34xg-wgjx-8xph / CVE-2026-48998 composer
qs 6.15.0 → 6.15.2 #139 medium GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 npm
symfony/yaml v5.4.45 → v5.4.53 #143 low GHSA-4qpc-3hr4-r2p4 / CVE-2026-45304 composer
symfony/yaml v5.4.45 → v5.4.53 #142 low GHSA-9frc-8383-795m / CVE-2026-45305 composer
symfony/yaml v5.4.45 → v5.4.53 #141 low GHSA-c2p3-7m5p-cv8x / CVE-2026-45133 composer
symfony/dom-crawler v5.4.48 → v5.4.52 #140 low GHSA-x6g4-fwcc-jj8w / CVE-2026-45071 composer

(symfony/yaml goes to v5.4.53; first_patched is v5.4.52, threshold satisfied. tmp goes to 0.2.7; first_patched 0.2.6, satisfied.)

Why these are safe

  • All patched versions are the SAME MAJOR as installed — no breaking major bumps.
  • composer bumps were applied by transplanting the patched package entries verbatim from the corresponding dependabot[bot] commits; content-hash is unchanged (these are dev-dependency bumps that do not alter composer.json constraints).
  • npm bumps were taken by cherry-picking (-x) the Dependabot commits for qs and tmppackage-lock.json only.
  • Only the five target composer package blocks and the two npm package entries are modified; no unrelated transitive churn.

How tested

Lockfile-only change — NOT built or installed locally (per disk-discipline constraints; no composer install / npm ci). Both lockfiles validated as parseable JSON. Please verify via CI.

Residual risk

  • None flagged: all 12 open alerts are addressed by same-major patches and the packages were present at vulnerable versions in the referenced manifests.

rtBot and others added 3 commits June 30, 2026 10:19
Bumps in tests/codeception/composer.lock (composer ecosystem):
- guzzlehttp/psr7 2.8.0 -> 2.12.1 (GHSA-hq7v-mx3g-29hw CVE-2026-49214, GHSA-34xg-wgjx-8xph CVE-2026-48998, GHSA-vm85-hxw5-5432 CVE-2026-55766; alerts #146 #145 #149)
- guzzlehttp/guzzle 7.10.0 -> 7.12.1 (GHSA-cwxw-98qj-8qjx CVE-2026-55767, GHSA-wpwq-4j6v-78m3 CVE-2026-55568; alerts #148 #147)
- symfony/dom-crawler v5.4.48 -> v5.4.52 (GHSA-x6g4-fwcc-jj8w CVE-2026-45071; alert #140)
- symfony/yaml v5.4.45 -> v5.4.53 (GHSA-4qpc-3hr4-r2p4, GHSA-9frc-8383-795m, GHSA-c2p3-7m5p-cv8x; alerts #143 #142 #141)
- composer/composer 2.9.4 -> 2.9.8 (GHSA-f9f8-rm49-7jv2 CVE-2026-45793; alert #138)

Patched entries taken verbatim from Dependabot commits. content-hash unchanged (dev-dependency bumps; composer.json constraints unmodified).
Bumps [qs](https://github.com/ljharb/qs) from 6.15.0 to 6.15.2.
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.0...v6.15.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 19ea40a)
Bumps [tmp](https://github.com/raszi/node-tmp) from 0.2.5 to 0.2.7.
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.2.5...v0.2.7)

---
updated-dependencies:
- dependency-name: tmp
  dependency-version: 0.2.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 56cdf80)
Copilot AI review requested due to automatic review settings June 30, 2026 10:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NoumaanAhamed NoumaanAhamed left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@krishana7911 krishana7911 self-assigned this Jun 30, 2026
@krishana7911 krishana7911 merged commit 383d1c2 into develop Jun 30, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants