Skip to content

[SITE-5767] Update composer dependencies to fix xmlseclibs vulnerabilities#477

Merged
pwtyler merged 2 commits into
mainfrom
update/composer-dependencies
May 15, 2026
Merged

[SITE-5767] Update composer dependencies to fix xmlseclibs vulnerabilities#477
pwtyler merged 2 commits into
mainfrom
update/composer-dependencies

Conversation

@AnaisPantheor
Copy link
Copy Markdown
Contributor

@AnaisPantheor AnaisPantheor commented May 15, 2026
edited
Loading

Summary

  • Updates onelogin/php-saml from 4.2.0 to 4.3.2
  • Updates robrichards/xmlseclibs from 3.1.3 to 3.1.5
  • Updates 33 other dev/transitive dependencies to latest compatible versions

Dependencies have not been updated in 5 months. This PR was prompted by a user complaint on the WordPress support forum reporting the xmlseclibs vulnerability.

Security

Resolves 3 open Dependabot alerts:

Alert Package CVE
#13 robrichards/xmlseclibs Libxml2 Canonicalization error bypasses Digest/Signature validation
#14 onelogin/php-saml SAML PHP Toolkit Vulnerability (CVE-2025-66475)
#16 robrichards/xmlseclibs Missing AES-GCM Authentication Tag Validation allows unauthorized decryption

References:

Test plan

  • CI passes (lint + PHPUnit + Behat)
  • Verify SAML login flow works with updated dependencies
  • Confirm Dependabot alerts close after merge

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026
edited
Loading

Composer Changes
Prod Packages Operation Base Target
onelogin/php-saml Upgraded 4.2.0 4.3.2
robrichards/xmlseclibs Upgraded 3.1.3 3.1.5
Dev Packages Operation Base Target
behat/mink Upgraded v1.12.0 v1.13.0
dealerdirect/phpcodesniffer-composer-installer Upgraded v1.0.0 v1.2.1
doctrine/instantiator Downgraded 2.0.0 1.5.0
myclabs/deep-copy Upgraded 1.13.1 1.13.4
nikic/php-parser Upgraded v5.4.0 v5.7.0
pantheon-systems/pantheon-wordpress-upstream-tests Changed dev-master 1fa393d dev-master 1cc8751
pantheon-systems/wpunit-helpers Upgraded v2.0.2 v2.0.7
phpcompatibility/phpcompatibility-paragonie Upgraded 1.3.3 1.3.4
phpcompatibility/phpcompatibility-wp Upgraded 2.1.7 2.1.8
phpcsstandards/phpcsextra Upgraded 1.3.0 1.5.0
phpcsstandards/phpcsutils Upgraded 1.0.12 1.2.2
phpstan/phpdoc-parser Upgraded 1.33.0 2.3.2
phpunit/phpunit Upgraded 9.6.23 9.6.34
sebastian/comparator Upgraded 4.0.8 4.0.10
sebastian/exporter Upgraded 4.0.6 4.0.8
sebastian/global-state Upgraded 5.0.7 5.0.8
sebastian/recursion-context Upgraded 4.0.5 4.0.6
sirbrillig/phpcs-variable-analysis Upgraded v2.12.0 v2.13.0
slevomat/coding-standard Upgraded 8.15.0 8.22.1
spryker/code-sniffer Downgraded 0.17.28 0.17.18
squizlabs/php_codesniffer Upgraded 3.13.0 3.13.5
symfony/deprecation-contracts Downgraded v3.5.1 v2.5.4
symfony/event-dispatcher-contracts Downgraded v3.5.1 v2.5.4
symfony/polyfill-ctype Upgraded v1.32.0 v1.37.0
symfony/polyfill-intl-grapheme Upgraded v1.32.0 v1.37.0
symfony/polyfill-intl-idn Upgraded v1.32.0 v1.37.0
symfony/polyfill-intl-normalizer Upgraded v1.32.0 v1.37.0
symfony/polyfill-mbstring Upgraded v1.32.0 v1.37.0
symfony/polyfill-php73 Upgraded v1.32.0 v1.37.0
symfony/polyfill-php80 Upgraded v1.32.0 v1.37.0
symfony/polyfill-php81 Upgraded v1.32.0 v1.37.0
symfony/string Downgraded v6.4.21 v5.4.47
symfony/yaml Downgraded v6.4.21 v5.4.45
theseer/tokenizer Upgraded 1.2.3 1.3.1
wp-coding-standards/wpcs Upgraded 3.1.0 3.3.0

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 15, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@AnaisPantheor AnaisPantheor marked this pull request as ready for review May 15, 2026 20:04
@AnaisPantheor AnaisPantheor requested a review from a team as a code owner May 15, 2026 20:04
@pwtyler pwtyler merged commit ece4d73 into main May 15, 2026
38 of 41 checks passed
@pwtyler pwtyler deleted the update/composer-dependencies branch May 15, 2026 21:52
@pwtyler pwtyler changed the title Update composer dependencies to fix xmlseclibs vulnerabilities [SITE-5767] Update composer dependencies to fix xmlseclibs vulnerabilities May 19, 2026
@AnaisPantheor AnaisPantheor mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pwtyler pwtyler pwtyler approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AnaisPantheor @pwtyler