Bump php-saml to solve vulnerability #18380
Conversation
|
I'm not sure what went wrong here: I've enforced the dependency on 3.8.1, but 3.8.0 is taken anyway? 🤔 EDIT: Ok, I was missing the |
ilpianista
force-pushed
the
feature/php-saml-bump
branch
2 times, most recently
from
ec3b6c1 to
f983919
Compare
|
Hi there - thanks for this! Can you please re-target this PR to point to the You don't need to close and re-open. After you create a pull request, you can modify the base branch so that the changes in the pull request are compared against a different branch. By changing the base branch of your original pull request rather than opening a new one with the correct base branch, you’ll be able to keep valuable work and discussion.
Thanks! |
|
I did that from mobile, but now this requires a rebase. I'll do it ASAP. |
ilpianista
force-pushed
the
feature/php-saml-bump
branch
from
f983919 to
eba3361
Compare
| "nunomaduro/collision": "^8.1", | ||
| "okvpn/clock-lts": "^1.0", | ||
| "onelogin/php-saml": "^3.4", | ||
| "onelogin/php-saml": "^3.8.1", |
There was a problem hiding this comment.
You probably don't need to make this change as it is implied in the semver (at least I wouldn't, but maybe the maintainers would). 2¢
There was a problem hiding this comment.
Yes, I know. However, I don't see why I should skip it and risk someone downgrading it. Hence the bump.
There was a problem hiding this comment.
Totally fair. This is more a personal quirk of mine than a strong opinion. I tend to normalize to ^3.0 since it makes diffs a bit easier to scan across projects, but I see where you're coming from.
3 participants
Bumping php-saml to 3.8.1 due to GHSA-5j8p-438x-rgg5.
I took a look at your implementation and I've found no breaking change in the php-saml CHANGELOG.