how to update dependencies?

[NeftaliAcosta]

Can you help me update the dependencies? Gitlab SAST show me an error and I need update to firebase/php-jwt ^6

Thank you.

[tuupola]

Not possibe. firebase/php-jwt:6.x made such changes it is impossible to use it without breaking BC. See discussion at: #217

I really do dislike CVE-2021-46743 because vulnerability scanners tag it has critical even though there is no vulnerability. Even the report itself says: "NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself."

[dakujem]

With firebase/php-jwt version 5.5 it is possible to mitigate the issue.

I had to update the interface of my library to allow for the workaround, by introducing a Secret object, which mimics what firebase/php-jwt did in v5.5. Maybe this will help.

I was also forced to bump the major version in order to mitigate the issue by-default, as they did in firebase/php-jwt version 6.

[tuupola]

@dakujem I had totally missed this. Thanks!

https://github.com/firebase/php-jwt/releases/tag/v5.5.0