chore(deps): update dependency phpunit/phpunit to v8 [security]#4
Open
renovate-fastnorth[bot] wants to merge 1 commit into
Open
chore(deps): update dependency phpunit/phpunit to v8 [security]#4renovate-fastnorth[bot] wants to merge 1 commit into
renovate-fastnorth[bot] wants to merge 1 commit into
Conversation
13952fd to
fd48dac
Compare
fd48dac to
d3e2734
Compare
d3e2734 to
3b7a06f
Compare
3b7a06f to
faa9f77
Compare
faa9f77 to
e86df80
Compare
e86df80 to
8ba785d
Compare
8ba785d to
5c04ebd
Compare
5c04ebd to
ddf00f9
Compare
ddf00f9 to
f2fe6ea
Compare
f2fe6ea to
c1dc1c9
Compare
685571b to
2781474
Compare
2781474 to
c52f174
Compare
c52f174 to
c63514f
Compare
c63514f to
e95e253
Compare
e95e253 to
33d7a74
Compare
carcunha
requested changes
Jun 2, 2026
carcunha
left a comment
There was a problem hiding this comment.
Blocked — dev-only bump with no verification path.
phpunit/phpunit^5.3 → ^13 is a major test-suite migration, not a constraint-only change.- Security label applies to require-dev; this does not affect runtime consumers.
- This repo has no CI workflow — nothing validates the bump (no checks on this PR).
Run and fix the test suite locally before merging, or close if PHPUnit 5 tests are no longer maintained.
125a4f8 to
10cdd93
Compare
10cdd93 to
4159e95
Compare
4159e95 to
f3b2d78
Compare
f3b2d78 to
4ac29fa
Compare
4ac29fa to
dc3c4a1
Compare
dc3c4a1 to
86d2301
Compare
86d2301 to
93cd3d3
Compare
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5.3→^8.5.52PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
CVE-2026-24765 / GHSA-vvj3-c3rp-c85p
More information
Details
Overview
A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the
cleanupForCoverage()method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious.coveragefiles are present prior to the execution of the PHPT test.Technical Details
Affected Component: PHPT test runner, method
cleanupForCoverage()Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
Vulnerable Code Pattern
The vulnerability occurs when a
.coveragefile, which should not exist before test execution, is deserialized without theallowed_classesparameter restriction. An attacker with local file write access can place a malicious serialized object with a__wakeup()method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.Attack Prerequisites and Constraints
This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
.coveragefile alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage informationCritical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.
Proposed Remediation Approach
Rather than just silently sanitizing the input via
['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing.coveragefiles for PHPT tests as an error condition.Rationale for Error-Based Approach:
.coveragefile existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input.coveragefile should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:Severity Classification
Mitigating Factors (Environmental Context)
Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:
Fixed Behaviour
When a
.coveragefile is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:Recommendation
Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Code Injection in PHPUnit
CVE-2017-9841 / GHSA-r7c9-c69m-rph8
More information
Details
Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a
<?phpsubstring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
CVE-2026-24765 / GHSA-vvj3-c3rp-c85p
More information
Details
Overview
A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the
cleanupForCoverage()method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious.coveragefiles are present prior to the execution of the PHPT test.Technical Details
Affected Component: PHPT test runner, method
cleanupForCoverage()Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7
Vulnerable Code Pattern
The vulnerability occurs when a
.coveragefile, which should not exist before test execution, is deserialized without theallowed_classesparameter restriction. An attacker with local file write access can place a malicious serialized object with a__wakeup()method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.Attack Prerequisites and Constraints
This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:
.coveragefile alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage informationCritical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.
Proposed Remediation Approach
Rather than just silently sanitizing the input via
['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing.coveragefiles for PHPT tests as an error condition.Rationale for Error-Based Approach:
.coveragefile existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input.coveragefile should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:Severity Classification
Mitigating Factors (Environmental Context)
Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:
Fixed Behaviour
When a
.coveragefile is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:Recommendation
Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone America/Toronto)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.