Page MenuHomePhabricator
Create Task
Maniphest T416292

Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  1. In a Dockerfile, use "FROM mediawiki:1.43.6"
  2. Install from the composer:latest
  3. Install semantic mediawiki and some extensions.
  4. The docker-compose build step fails with 2 errors

See this GitHub action log with the build failure https://github.com/Zelnox/giant-bomb-wiki/actions/runs/21611206859/job/62280142474

What happens?:
Extracted from the log linked above:

#19 14.44   Problem 1
#19 14.44     - Root composer.json requires phpunit/phpunit 9.6.19 (exact version match: 9.6.19 or 9.6.19.0), found phpunit/phpunit[9.6.19] but these were not loaded, because they are affected by security advisories ("PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
#19 14.44   Problem 2
#19 14.44     - Root composer.json requires johnkary/phpunit-speedtrap ^4.0 -> satisfiable by johnkary/phpunit-speedtrap[v4.0.0, v4.0.1].
#19 14.44     - johnkary/phpunit-speedtrap[v4.0.0, ..., v4.0.1] require phpunit/phpunit ^7.0 || ^8.0 || ^9.0 -> found phpunit/phpunit[7.0.0, ..., 7.5.20, 8.0.0, ..., 8.5.52, 9.0.0, ..., 9.6.34] but these were not loaded, because they are affected by security advisories ("PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
#19 14.44 
#19 14.44 Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.
#19 ERROR: process "/bin/sh -c cd /var/www/html  && COMPOSER=composer.local.json php /usr/local/bin/composer require --no-update mediawiki/semantic-media-wiki  && php /usr/local/bin/composer require --no-update mediawiki/semantic-extra-special-properties  && php /usr/local/bin/composer require --no-update mediawiki/semantic-result-formats  && php /usr/local/bin/composer require --no-update mediawiki/semantic-scribunto dev-master  && php /usr/local/bin/composer require --no-update \"wikimedia/css-sanitizer:^5.5.0\"  && docker-php-ext-configure zip  && docker-php-ext-install zip  && cd /var/www/html/extensions/  && git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms.git  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/DisplayTitle  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/Popups  && wget https://github.com/octfx/mediawiki-extensions-TemplateStylesExtender/archive/refs/tags/v2.0.0.zip  && unzip v2.0.0.zip && rm v2.0.0.zip && mv mediawiki-extensions-TemplateStylesExtender-2.0.0 TemplateStylesExtender  && cd /var/www/html/  && composer update --no-dev" did not complete successfully: exit code: 2

What should have happened instead?:
The image should build without errors.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
MediaWiki 1.43.6
PHP 8.3.30 (apache2handler)
ICU 76.1
MariaDB 11.8.5-MariaDB-ubu2404
Lua 5.1.5

Other information (browser name/version, screenshots, etc.):

  • Separately, I have tested using composer:2.2 and that also builds successfully (without modifying of the composer.json file).

Related Objects

Event Timeline

Zelnox2 created this task.Tue, Feb 3, 3:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Feb 3, 3:29 AM
Zelnox2 updated the task description. (Show Details)Tue, Feb 3, 3:47 AM
ChristianHeusel subscribed.Wed, Feb 4, 12:11 PM

While this bug manifests in docker the file in question is not specific to the Docker deployment and should instead be modified in the upstream mediawiki codebase no?

bovender subscribed.Wed, Feb 4, 4:13 PM
Zelnox2 added a comment.Wed, Feb 4, 6:15 PM
In T416292#11582851, @ChristianHeusel wrote:

While this bug manifests in docker the file in question is not specific to the Docker deployment and should instead be modified in the upstream mediawiki codebase no?

You are right. I don't know which team would handle that.

ChristianHeusel removed a project: Docker-Hub-MediaWiki.Wed, Feb 4, 7:45 PM
taavi added projects: MediaWiki-Core-Tests, MediaWiki-Vendor.Wed, Feb 4, 7:50 PM
taavi added a project: MW-1.43-release.
taavi mentioned this in T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working.Wed, Feb 4, 7:58 PM
A_smart_kitten added subscribers: Reedy, A_smart_kitten.Wed, Feb 4, 8:22 PM

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

There was a request made at T415723#11569521 for new MW versions to be released soon, for (IIUC) a similar reason to what's described in this task... I'm not personally sure when the next release would otherwise be scheduled for.
ccing @Reedy fyi

Reedy renamed this task from Building Mediawiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v to Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v.Wed, Feb 4, 8:43 PM
Reedy updated the task description. (Show Details)
RhinosF1 subscribed.Wed, Feb 4, 9:00 PM
Reedy added a comment.Wed, Feb 4, 9:26 PM

Install from the composer:latest

Noting if you used a composer 2.8.x version (2.8.12) as of writing, you wouldn't have composer blocking this either.

Zelnox2 added a comment.Wed, Feb 4, 11:30 PM
In T416292#11585011, @A_smart_kitten wrote:

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

It doesn't seem related to the same CVE, but it does touch phpunit. The build errors mentions "PKSA-z3gr-8qht-p93v", which is what we looked up.

In T416292#11585157, @Reedy wrote:

Install from the composer:latest

Noting if you used a composer 2.8.x version (2.8.12) as of writing, you wouldn't have composer blocking this either.

Ahhhh, I hadn't seen the tag for composer:2.8. This is why I only tested with 2.2, but it was deemed too old and that's what lead me to create this ticket. I just tested with composer:2.8 and comfirm that it builds successfully (no sed shenanigans).

Reedy added a comment.Wed, Feb 4, 11:46 PM
In T416292#11585578, @Zelnox2 wrote:
In T416292#11585011, @A_smart_kitten wrote:

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

It doesn't seem related to the same CVE, but it does touch phpunit. The build errors mentions "PKSA-z3gr-8qht-p93v", which is what we looked up.

https://packagist.org/packages/phpunit/phpunit/advisories?version=9707524

PKSA-z3gr-8qht-p93v CVE-2026-24765 GHSA-vvj3-c3rp-c85p

A_smart_kitten mentioned this in T417128: Broken composer.json.Wed, Feb 11, 1:00 PM
DG subscribed.Fri, Feb 13, 8:23 AM

Thanks for reporting because I had the exact same issue. For now, downgrading Composer latest (now 2.9.5) > 2.8.x is a temporary workaround that works for me, too.

Umherirrender subscribed.Sat, Feb 14, 9:45 PM

I am wonder why this happen even for --no-dev-, but the composer output says

Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.

The security problem is marked as "high" (https://github.com/advisories/GHSA-vvj3-c3rp-c85p), so it seems this needs a new release to fix the problem on the release branch, for all that build the package itself and not using the tarball, to avoid that all have to add --no-security-blocking.

Or the release ships a composer.lock and it is possible to composer install which does not block the install ("for installs from a lock file Composer never blocks vulnerable packages." - https://getcomposer.org/doc/03-cli.md), but that removes some package updates for support to newer php versions.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits