Require patched PHPUnit versions to fix CVE (unsafe deserialization in PHPT test runner)

erusev · erusev · commit 47453edc282c · 2026-02-18T17:48:07.000+02:00
Updates PHPUnit constraints to require patched versions while maintaining PHP 7.1 support:
- PHPUnit 7.5+ (for PHP 7.1 compatibility; not mentioned in CVE, likely unaffected or EOL)
- PHPUnit 8.5.52+ (was 8.5.x; requires PHP 7.2+)
- PHPUnit 9.6.33+ (was 9.6.x; requires PHP 7.3+)

Vulnerability affects: &lt;= 8.5.51, &lt;= 9.6.32, &lt;= 10.5.61, &lt;= 11.5.49, &lt;= 12.5.7
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -9,7 +9,6 @@ jobs:
         strategy:
             matrix:
                 php:
-                    - '7.1'
                     - '7.2'
                     - '7.3'
                     - '7.4'
diff --git a/composer.json b/composer.json
@@ -13,14 +13,14 @@
         }
     ],
     "require": {
-        "php": ">=7.1",
+        "php": ">=7.2",
         "ext-mbstring": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^7.5|^8.5|^9.6"
+        "phpunit/phpunit": "^8.5.52|^9.6.33"
     },
     "autoload": {
-        "psr-0": {"Parsedown": ""}
+        "psr-0": { "Parsedown": "" }
     },
     "autoload-dev": {
         "psr-0": {

-Original file line number
+Diff line change
         strategy:
             matrix:
                 php:
 -                    - '7.1'
                     - '7.2'
                     - '7.3'
                     - '7.4'