Something weird is happening in regards of version constraints

[SCIF]

Here is one of the latest commits: 3c621b0

1. The latest CVE is https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml which has a constraint <2.0.4.

2. The message has a link to PR has nothing to do with dompdf.

Any idea?

[Ocramius]

See:

• Issues/451 Add advisory information to a commit messages SecurityAdvisoriesBuilder#459
• Include advisory source in new security advisory commits SecurityAdvisoriesBuilder#451

Check also https://github.com/advisories for the latest updates.

[SCIF]

I found next security issue but it seems like dompdf is not actually the source of the problem as they have a wide constraint allowing but not forcing the usage of affected version of phenx/php-svg-lib. Does it mean GH advisory report has mentioned dompdf incorrect so your package reflected this wrong decision as well?

[Ocramius]

Sounds like it: I would bring it up there then, as this package only follows.

[Ocramius]

Closing here as per #129 outcome.