Page MenuHomePhabricator

Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v
Open, Needs TriagePublicBUG REPORT

Description

Steps to replicate the issue (include links if applicable):

  1. In a Dockerfile, use "FROM mediawiki:1.43.6"
  2. Install from the composer:latest
  3. Install semantic mediawiki and some extensions.
  4. The docker-compose build step fails with 2 errors

See this GitHub action log with the build failure https://github.com/Zelnox/giant-bomb-wiki/actions/runs/21611206859/job/62280142474

What happens?:
Extracted from the log linked above:

#19 14.44   Problem 1
#19 14.44     - Root composer.json requires phpunit/phpunit 9.6.19 (exact version match: 9.6.19 or 9.6.19.0), found phpunit/phpunit[9.6.19] but these were not loaded, because they are affected by security advisories ("PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
#19 14.44   Problem 2
#19 14.44     - Root composer.json requires johnkary/phpunit-speedtrap ^4.0 -> satisfiable by johnkary/phpunit-speedtrap[v4.0.0, v4.0.1].
#19 14.44     - johnkary/phpunit-speedtrap[v4.0.0, ..., v4.0.1] require phpunit/phpunit ^7.0 || ^8.0 || ^9.0 -> found phpunit/phpunit[7.0.0, ..., 7.5.20, 8.0.0, ..., 8.5.52, 9.0.0, ..., 9.6.34] but these were not loaded, because they are affected by security advisories ("PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
#19 14.44 
#19 14.44 Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.
#19 ERROR: process "/bin/sh -c cd /var/www/html  && COMPOSER=composer.local.json php /usr/local/bin/composer require --no-update mediawiki/semantic-media-wiki  && php /usr/local/bin/composer require --no-update mediawiki/semantic-extra-special-properties  && php /usr/local/bin/composer require --no-update mediawiki/semantic-result-formats  && php /usr/local/bin/composer require --no-update mediawiki/semantic-scribunto dev-master  && php /usr/local/bin/composer require --no-update \"wikimedia/css-sanitizer:^5.5.0\"  && docker-php-ext-configure zip  && docker-php-ext-install zip  && cd /var/www/html/extensions/  && git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms.git  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/DisplayTitle  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles  && git clone -b 'REL1_43' --single-branch --depth 1 https://gerrit.wikimedia.org/r/mediawiki/extensions/Popups  && wget https://github.com/octfx/mediawiki-extensions-TemplateStylesExtender/archive/refs/tags/v2.0.0.zip  && unzip v2.0.0.zip && rm v2.0.0.zip && mv mediawiki-extensions-TemplateStylesExtender-2.0.0 TemplateStylesExtender  && cd /var/www/html/  && composer update --no-dev" did not complete successfully: exit code: 2

What should have happened instead?:
The image should build without errors.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
MediaWiki 1.43.6
PHP 8.3.30 (apache2handler)
ICU 76.1
MariaDB 11.8.5-MariaDB-ubu2404
Lua 5.1.5

Other information (browser name/version, screenshots, etc.):

  • Separately, I have tested using composer:2.2 and that also builds successfully (without modifying of the composer.json file).

Event Timeline

While this bug manifests in docker the file in question is not specific to the Docker deployment and should instead be modified in the upstream mediawiki codebase no?

While this bug manifests in docker the file in question is not specific to the Docker deployment and should instead be modified in the upstream mediawiki codebase no?

You are right. I don't know which team would handle that.

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

There was a request made at T415723#11569521 for new MW versions to be released soon, for (IIUC) a similar reason to what's described in this task... I'm not personally sure when the next release would otherwise be scheduled for.
ccing @Reedy fyi

Reedy renamed this task from Building Mediawiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v to Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v.Wed, Feb 4, 8:43 PM
Reedy updated the task description. (Show Details)

Install from the composer:latest

Noting if you used a composer 2.8.x version (2.8.12) as of writing, you wouldn't have composer blocking this either.

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

It doesn't seem related to the same CVE, but it does touch phpunit. The build errors mentions "PKSA-z3gr-8qht-p93v", which is what we looked up.

Install from the composer:latest

Noting if you used a composer 2.8.x version (2.8.12) as of writing, you wouldn't have composer blocking this either.

Ahhhh, I hadn't seen the tag for composer:2.8. This is why I only tested with 2.2, but it was deemed too old and that's what lead me to create this ticket. I just tested with composer:2.8 and comfirm that it builds successfully (no sed shenanigans).

If I'm understanding correctly, this is basically T415723: CI blocked from installing phpunit by CVE-2026-24765, except that there hasn't yet been a MediaWiki release that contains the phpunit/phpunit version bump made in that task.

It doesn't seem related to the same CVE, but it does touch phpunit. The build errors mentions "PKSA-z3gr-8qht-p93v", which is what we looked up.

https://packagist.org/packages/phpunit/phpunit/advisories?version=9707524

PKSA-z3gr-8qht-p93v CVE-2026-24765 GHSA-vvj3-c3rp-c85p

Thanks for reporting because I had the exact same issue. For now, downgrading Composer latest (now 2.9.5) > 2.8.x is a temporary workaround that works for me, too.

I am wonder why this happen even for --no-dev-, but the composer output says

Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.

The security problem is marked as "high" (https://github.com/advisories/GHSA-vvj3-c3rp-c85p), so it seems this needs a new release to fix the problem on the release branch, for all that build the package itself and not using the tarball, to avoid that all have to add --no-security-blocking.

Or the release ships a composer.lock and it is possible to composer install which does not block the install ("for installs from a lock file Composer never blocks vulnerable packages." - https://getcomposer.org/doc/03-cli.md), but that removes some package updates for support to newer php versions.