From d00cab6a289a903379d55a97553a859ce5cea3b4 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Mon, 16 Feb 2026 01:48:22 -0800 Subject: [PATCH] fix: update symfony/process to v7.4.5 (CVE-2026-24739) Upgrades symfony/process from v7.3.4 to v7.4.5. The upstream advisory (CVE-2026-24739) describes a command injection vector in the Process component. While this dependency is transitive via phplint and only executes in CI, applying the fix is low-risk and keeps the lock file free of known CVEs. --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index caf83e9..af70d31 100644 --- a/composer.lock +++ b/composer.lock @@ -2033,16 +2033,16 @@ }, { "name": "symfony/process", - "version": "v7.3.4", + "version": "v7.4.5", "source": { "type": "git", "url": "https://github.com/symfony/process.git", - "reference": "f24f8f316367b30810810d4eb30c543d7003ff3b" + "reference": "608476f4604102976d687c483ac63a79ba18cc97" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/process/zipball/f24f8f316367b30810810d4eb30c543d7003ff3b", - "reference": "f24f8f316367b30810810d4eb30c543d7003ff3b", + "url": "https://api.github.com/repos/symfony/process/zipball/608476f4604102976d687c483ac63a79ba18cc97", + "reference": "608476f4604102976d687c483ac63a79ba18cc97", "shasum": "" }, "require": { @@ -2074,7 +2074,7 @@ "description": "Executes commands in sub-processes", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/process/tree/v7.3.4" + "source": "https://github.com/symfony/process/tree/v7.4.5" }, "funding": [ { @@ -2094,7 +2094,7 @@ "type": "tidelift" } ], - "time": "2025-09-11T10:12:26+00:00" + "time": "2026-01-26T15:07:59+00:00" }, { "name": "symfony/service-contracts",