The master branch currently reflects the next release of Dompdf and includes some major changes, so this update won't alleviate issues for users attempting to deploy 2.x. The svglib-update branch is based on 2.0.4 and will be the basis of a 2.0.5 release (if required).

The master branch currently reflects the next release of Dompdf and includes some major changes, so this update won't alleviate issues for users attempting to deploy 2.x. The svglib-update branch is based on 2.0.4 and will be the basis of a 2.0.5 release (if required).

OK great news. And you know when you will merge svglib-update branch ?

It'll be sometime in the next few hours.

It looks like the update should not be necessary. Dependency managers are updating to reflect that 2.0.4 is OK to install. Please let me know if you're finding otherwise.

@bsweeney correct, we're seeing composer audit run successfully now on the same version of dompdf/dompdf but with the latest release of phenx/php-svg-lib.

It's OK for me too. Thanks for all

When is 2.0.5 going to be released? It's still wrong to have a min version specified that would allow installing a dependency that is affected by a vulnerability.

FYI if you want to enforce a minimum SvgLib version with your Dompdf installation without specifying it in your composer you can upgrade to 2.0.7.