Skip to content

[UPMERGE] 1.0 -> 1.1 #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Rafikooo merged 3 commits into from
Nov 20, 2025
Merged

[UPMERGE] 1.0 -> 1.1 #412

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a899b02
Add cve to ignore
michalkaczmarek-bitbag Nov 20, 2025
b88a679
Fix CI by updating CVE filtering and security check workflow
Rafikooo Nov 20, 2025
e96d57b
Add filtering cve related with APIP (#411)
GSadee Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ jobs:

-
name: Run security check
run: symfony security:check
run: composer audit --abandoned=ignore

-
name: Run PHPStan
Expand Down
21 changes: 21 additions & 0 deletions AUDIT-IGNORE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# AUDIT-IGNORE

This document explains why specific advisories are added to `composer.json` → `config.audit.ignore`.

**PKSA-gs8r-6kz6-pp56** — `api-platform/core` CVE-2025-31485; affected versions < 3.4.17, 4.0.0–4.0.21, 4.1.0–4.1.4 are pulled by Sylius dependency constraints. GraphQL property security grant caching issue allows unauthorized access.
https://www.cve.org/CVERecord?id=CVE-2025-31485

**PKSA-gnn4-pxdg-q76m** — `api-platform/core` CVE-2025-31481; same affected versions as above. GraphQL security bypass via Relay `node` type allows unauthorized entity access.
https://www.cve.org/CVERecord?id=CVE-2025-31481

**PKSA-yhcn-xrg3-68b1** — `twig/twig` CVE-2024-45411; affected versions < 1.44.8, < 2.16.1, < 3.14.0 are pulled by Sylius dependency constraints. Sandbox security checks can be bypassed when templates are loaded in non-sandbox context before include().
https://www.cve.org/CVERecord?id=CVE-2024-45411

**PKSA-2wrf-1xmk-1pky** — `twig/twig` CVE-2024-51755; affected versions < 3.11.2 or 3.12.0–3.14.0 are pulled by Sylius dependency constraints. Unguarded `__isset()` and array-access in sandbox allows attribute access on Array-like objects.
https://www.cve.org/CVERecord?id=CVE-2024-51755

**PKSA-365x-2zjk-pt47** — `symfony/http-foundation` CVE-2025-64500; affected versions < 5.4.50, < 6.4.29, < 7.3.7 are pulled by Sylius dependency constraints. Incorrect parsing of PATH_INFO can lead to limited authorization bypass.
https://www.cve.org/CVERecord?id=CVE-2025-64500

**PKSA-4g5g-4rkv-myqs** — `enshrined/svg-sanitize` CVE-2025-55166; affected versions < 0.22.0 are pulled by Sylius 1.13.x dependency constraints (requires ^0.16). Attribute sanitization bypass allowing XSS via mixed-case attributes. Fixed in Sylius 1.14 by removing the dependency entirely.
https://www.cve.org/CVERecord?id=CVE-2025-55166
10 changes: 10 additions & 0 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,16 @@
"phpstan/extension-installer": true,
"symfony/flex": true,
"symfony/thanks": false
},
"audit": {
"ignore": [
"PKSA-gs8r-6kz6-pp56",
"PKSA-gnn4-pxdg-q76m",
"PKSA-yhcn-xrg3-68b1",
"PKSA-2wrf-1xmk-1pky",
"PKSA-365x-2zjk-pt47",
"PKSA-4g5g-4rkv-myqs"
]
}
},
"extra": {
Expand Down