Skip to content

Feature/8637 dependabot alerts#745

Merged
bdalsass merged 5 commits intosupport/3.2from
feature/8637_dependabot_alerts
Sep 9, 2025
Merged

Feature/8637 dependabot alerts#745
bdalsass merged 5 commits intosupport/3.2from
feature/8637_dependabot_alerts

Conversation

@bdalsass
Copy link
Contributor

@bdalsass bdalsass commented Sep 5, 2025

Base information

Question Answer
Related to a SourceForge thead / Another PR / Combodo ticket?
Type of change? Dependencies updates

Symptom (bug) / Objective (enhancement)

Dependabot alerts on some iTop composer lib.

Proposed solution (bug and enhancement)

  • Remove old doc generator
  • Update twig/twig from 3.16.0 to 3.21.1
  • Update tecnickcom/tcpdf from 6.7.5 to 6.10.0

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have tested all changes I made on an iTop instance
  • I have added a unit test, otherwise I have explained why I couldn't
  • Is the PR clear and detailed enough so anyone can understand digging in the code?

@bdalsass bdalsass self-assigned this Sep 5, 2025
@bdalsass bdalsass added internal Work made by Combodo dependencies Pull requests that update a dependency file labels Sep 5, 2025
@Hipska
Copy link
Contributor

Hipska commented Sep 5, 2025
edited
Loading

I don't see any additions to actually enable dependabot alerts?

PS; there is also a Major CVE in symfony/runtime 6.4.0

PS2; Base information needs to be updated it is about N°8637.

@steffunky
Copy link
Member

steffunky commented Sep 5, 2025

I don't see any additions to actually enable dependabot alerts?

PS; there is also a Major CVE in symfony/runtime 6.4.0

PS2; Base information needs to be updated it is about N°8637.

  • We already have a dependabot tab in our Github security page, but I don't think it's public
  • I think we're not concerned as we already include this library version > 6.4.14
$ composer show symfony/runtime
name     : symfony/runtime
descrip. : Enables decoupling PHP applications from global state
keywords : runtime
versions : * v6.4.23
released : 2025-06-13, 2 months ago
type     : composer-plugin
license  : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : https://symfony.com
source   : [git] https://github.com/symfony/runtime.git ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f
dist     : [zip] https://api.github.com/repos/symfony/runtime/zipball/ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f
path     : /srv/http/iTop/lib/symfony/runtime
names    : symfony/runtime

support
source : https://github.com/symfony/runtime/tree/v6.4.23
  • Agreed 😁

@Hipska
Copy link
Contributor

Hipska commented Sep 5, 2025

Ah I thought because of the title that you would let Dependabot now automatically create PRs to update composer dependencies.

On Develop branch all is good, but not on 3.2:

iTop/composer.lock

Lines 4172 to 4173 in 65c9145

"name": "symfony/runtime",
"version": "v6.4.0",

@Hipska
Copy link
Contributor

Hipska commented Sep 8, 2025

Since this PR is targeting support/3.2, symphony/runtime needs to be updated as well 😉

@bdalsass
Update symfony/http-foundation from 6.4.2 to 6.4.14
4e01785 
Update symfony/runtime from 6.4.0 to 6.4.24
@bdalsass bdalsass merged commit bb8a09d into support/3.2 Sep 9, 2025
@bdalsass bdalsass deleted the feature/8637_dependabot_alerts branch September 9, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steffunky steffunky steffunky approved these changes

+1 more reviewer

@Hipska Hipska Hipska approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bdalsass bdalsass

Labels

dependencies Pull requests that update a dependency file internal Work made by Combodo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bdalsass @Hipska @steffunky