Skip to content

Feature/8637 dependabot alerts #745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bdalsass merged 5 commits into from
Sep 9, 2025
Merged

Feature/8637 dependabot alerts #745

bdalsass merged 5 commits into from
Sep 9, 2025

Conversation

@bdalsass
Copy link
Contributor

@bdalsass bdalsass commented Sep 5, 2025

Base information

Question Answer
Related to a SourceForge thead / Another PR / Combodo ticket?
Type of change? Dependencies updates

Symptom (bug) / Objective (enhancement)

Dependabot alerts on some iTop composer lib.

Proposed solution (bug and enhancement)

  • Remove old doc generator
  • Update twig/twig from 3.16.0 to 3.21.1
  • Update tecnickcom/tcpdf from 6.7.5 to 6.10.0

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have tested all changes I made on an iTop instance
  • I have added a unit test, otherwise I have explained why I couldn't
  • Is the PR clear and detailed enough so anyone can understand digging in the code?

@bdalsass bdalsass self-assigned this Sep 5, 2025
@bdalsass bdalsass added internal Work made by Combodo dependencies Pull requests that update a dependency file labels Sep 5, 2025
@Hipska
Copy link
Contributor

Hipska commented Sep 5, 2025
edited
Loading

I don't see any additions to actually enable dependabot alerts?

PS; there is also a Major CVE in symfony/runtime 6.4.0

PS2; Base information needs to be updated it is about N°8637.

@steffunky
Copy link
Member

steffunky commented Sep 5, 2025

I don't see any additions to actually enable dependabot alerts?

PS; there is also a Major CVE in symfony/runtime 6.4.0

PS2; Base information needs to be updated it is about N°8637.

  • We already have a dependabot tab in our Github security page, but I don't think it's public
  • I think we're not concerned as we already include this library version > 6.4.14
$ composer show symfony/runtime
name     : symfony/runtime
descrip. : Enables decoupling PHP applications from global state
keywords : runtime
versions : * v6.4.23
released : 2025-06-13, 2 months ago
type     : composer-plugin
license  : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : https://symfony.com
source   : [git] https://github.com/symfony/runtime.git ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f
dist     : [zip] https://api.github.com/repos/symfony/runtime/zipball/ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f ef1f03c2ab1144ac4ef7744b9e026bdb06f2f88f
path     : /srv/http/iTop/lib/symfony/runtime
names    : symfony/runtime

support
source : https://github.com/symfony/runtime/tree/v6.4.23
  • Agreed 😁

@Hipska
Copy link
Contributor

Hipska commented Sep 5, 2025

Ah I thought because of the title that you would let Dependabot now automatically create PRs to update composer dependencies.

On Develop branch all is good, but not on 3.2:

iTop/composer.lock

Lines 4172 to 4173 in 65c9145

"name": "symfony/runtime",
"version": "v6.4.0",

@Hipska
Copy link
Contributor

Hipska commented Sep 8, 2025

Since this PR is targeting support/3.2, symphony/runtime needs to be updated as well 😉

@bdalsass
Update symfony/http-foundation from 6.4.2 to 6.4.14
4e01785 
Update symfony/runtime from 6.4.0 to 6.4.24
@bdalsass bdalsass merged commit bb8a09d into support/3.2 Sep 9, 2025
@bdalsass bdalsass deleted the feature/8637_dependabot_alerts branch September 9, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steffunky steffunky steffunky approved these changes

+1 more reviewer

@Hipska Hipska Hipska approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bdalsass bdalsass

Labels

dependencies Pull requests that update a dependency file internal Work made by Combodo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bdalsass @Hipska @steffunky