Skip to content

Security vulnerability

eileen@eileen-laptop:~/coworker$ composer audit Found 1 security vulnerability advisory affecting 1 package:


| Package           | react/http                                                                       |
| CVE               | CVE-2022-36032                                                                   |
| Title             | ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `_ |
|                   | _Secure-` cookies can be sent                                                    |
| URL               | https://github.com/advisories/GHSA-w3w9-vrf5-8mx8                                |
| Affected versions | >=0.7.0,<1.7.0                                                                   |
| Reported at       | 2022-08-20T11:11:00+00:00                                                        |

Note I didn't see a reason to only update that so just ran composer update

eileen@eileen-laptop:~/coworker$ composer update Loading composer repositories with package information Updating dependencies Lock file operations: 1 install, 15 updates, 0 removals

  • Locking fig/http-message-util (1.1.5)
  • Upgrading monolog/monolog (2.3.5 => 2.8.0)
  • Upgrading react/cache (v1.1.1 => v1.2.0)
  • Upgrading react/child-process (v0.6.4 => v0.6.5)
  • Upgrading react/dns (v1.9.0 => v1.10.0)
  • Upgrading react/event-loop (v1.2.0 => v1.3.0)
  • Upgrading react/http (v1.5.0 => v1.8.0)
  • Upgrading react/promise (v2.8.0 => v2.9.0)
  • Upgrading react/promise-stream (v1.3.0 => v1.5.0)
  • Upgrading react/promise-timer (v1.8.0 => v1.9.0)
  • Upgrading react/socket (v1.11.0 => v1.12.0)
  • Upgrading symfony/console (v4.4.36 => v4.4.49)
  • Upgrading symfony/polyfill-mbstring (v1.24.0 => v1.27.0)
  • Upgrading symfony/polyfill-php73 (v1.24.0 => v1.27.0)
  • Upgrading symfony/polyfill-php80 (v1.24.0 => v1.27.0)
  • Upgrading symfony/service-contracts (v1.1.11 => v1.1.13) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 1 install, 15 updates, 0 removals
  • Downloading react/cache (v1.2.0)
  • Downloading react/child-process (v0.6.5)
  • Downloading react/dns (v1.10.0)
  • Downloading react/socket (v1.12.0)
  • Downloading react/promise-stream (v1.5.0)
  • Downloading react/http (v1.8.0)
  • Downloading symfony/polyfill-php80 (v1.27.0)
  • Downloading symfony/polyfill-php73 (v1.27.0)
  • Downloading symfony/polyfill-mbstring (v1.27.0)
  • Downloading symfony/console (v4.4.49)
  • Upgrading react/promise (v2.8.0 => v2.9.0): Extracting archive
  • Upgrading react/event-loop (v1.2.0 => v1.3.0): Extracting archive
  • Upgrading react/promise-timer (v1.8.0 => v1.9.0): Extracting archive
  • Upgrading monolog/monolog (2.3.5 => 2.8.0): Extracting archive
  • Upgrading react/cache (v1.1.1 => v1.2.0): Extracting archive
  • Upgrading react/child-process (v0.6.4 => v0.6.5): Extracting archive
  • Upgrading react/dns (v1.9.0 => v1.10.0): Extracting archive
  • Upgrading react/socket (v1.11.0 => v1.12.0): Extracting archive
  • Upgrading react/promise-stream (v1.3.0 => v1.5.0): Extracting archive
  • Installing fig/http-message-util (1.1.5): Extracting archive
  • Upgrading react/http (v1.5.0 => v1.8.0): Extracting archive
  • Upgrading symfony/service-contracts (v1.1.11 => v1.1.13): Extracting archive
  • Upgrading symfony/polyfill-php80 (v1.24.0 => v1.27.0): Extracting archive
  • Upgrading symfony/polyfill-php73 (v1.24.0 => v1.27.0): Extracting archive
  • Upgrading symfony/polyfill-mbstring (v1.24.0 => v1.27.0): Extracting archive
  • Upgrading symfony/console (v4.4.36 => v4.4.49): Extracting archive Package clue/block-react is abandoned, you should avoid using it. Use react/async instead.

eileen@eileen-laptop:~/coworker$ composer why clue/block-react civicrm/coworker dev-master requires clue/block-react (^1.5)

Edited by eileen