Skip to content

fix: update symfony/process to v7.4.5 (CVE-2026-24739)#45

Open
somethingwithproof wants to merge 1 commit intocluebotng:mainfrom
somethingwithproof:fix/security-vulnerability
Open

fix: update symfony/process to v7.4.5 (CVE-2026-24739)#45
somethingwithproof wants to merge 1 commit intocluebotng:mainfrom
somethingwithproof:fix/security-vulnerability

Conversation

@somethingwithproof
Copy link

@somethingwithproof somethingwithproof commented Feb 11, 2026
edited
Loading

Upgrades symfony/process from v7.3.4 to v7.4.5.

The upstream advisory (CVE-2026-24739) describes a command injection vector in the Process component. While this dependency is transitive via phplint and only executes in CI, applying the fix is low-risk and keeps the lock file free of known CVEs.

Changes

  • composer.lock: bump symfony/process v7.3.4 → v7.4.5

Risk

Low — patch-level bump of a transitive dev dependency. No application code changes.

@DamianZaremba
Copy link
Member

DamianZaremba commented Feb 13, 2026

There are a number of changes included here which are not described in the PR.

Please can you describe the security issue you are attempting to resolve here.

symfony/process is a transitive dependency of phplint which is only executed in an isolated CI environment.

Please can you describe the purpose of altering the workflow permissions.

Both jobs are executed for all changes, using the permissions described in the current workflow.

Applying the permissions at the top level or per job essentially grants the same rights to CI.

Please can you describe the purpose of applying a pin to the infrabits/ci-pack action.

This action repo is directly controlled and deliberately tracks the latest code to minimise maintainer overhead.

@somethingwithproof
fix: update symfony/process to v7.4.5 (CVE-2026-24739)
d00cab6 
Upgrades symfony/process from v7.3.4 to v7.4.5. The upstream advisory
(CVE-2026-24739) describes a command injection vector in the Process
component. While this dependency is transitive via phplint and only
executes in CI, applying the fix is low-risk and keeps the lock file
free of known CVEs.
@somethingwithproof somethingwithproof force-pushed the fix/security-vulnerability branch from fa5fc0c to d00cab6 Compare February 16, 2026 09:48
@somethingwithproof
Copy link
Author

somethingwithproof commented Feb 16, 2026

Thanks for the review. You're right on all three points — I've stripped the CI changes and reduced this to just the composer.lock bump.

Please can you describe the security issue you are attempting to resolve here. symfony/process is a transitive dependency of phplint which is only executed in an isolated CI environment.

Fair point. CVE-2026-24739 is a command injection in symfony/process. Since it's transitive via phplint and CI-only, the practical risk is minimal. That said, the fix is a patch-level bump with no behavioral changes, so it keeps the lock file clean of known CVEs at zero cost.

Please can you describe the purpose of altering the workflow permissions.

Removed. Top-level vs per-job scoping doesn't change the effective permissions here.

Please can you describe the purpose of applying a pin to the infrabits/ci-pack action.

Removed. Understood that it's org-controlled and tracking main is intentional.

The PR now contains only the composer.lock change (symfony/process v7.3.4 → v7.4.5).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@somethingwithproof @DamianZaremba