Require patched PHPUnit versions to fix CVE (unsafe deserialization in PHPT test runner)

erusev · erusev · commit 7878b204a7af · 2026-02-18T17:23:11.000+02:00
Updates PHPUnit constraints to require versions with the fix for the unsafe deserialization vulnerability in the cleanupForCoverage() method:
- PHPUnit 8.5.52+ (was 8.5.x)
- PHPUnit 9.6.33+ (was 9.6.x)

Removes PHPUnit 7.x support as it is EOL and patch status unclear.

Vulnerability affects: &lt;= 8.5.51, &lt;= 9.6.32, &lt;= 10.5.61, &lt;= 11.5.49, &lt;= 12.5.7
diff --git a/composer.json b/composer.json
@@ -17,7 +17,7 @@
         "ext-mbstring": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^7.5|^8.5|^9.6"
+        "phpunit/phpunit": "^8.5.52|^9.6.33"
     },
     "autoload": {
         "psr-0": {"Parsedown": ""}
