Problem/Motivation

PHPUnit has a security update: https://advisories.gitlab.com/pkg/composer/phpunit/phpunit/CVE-2026-24765/

Security team approved this as a public issue.

Steps to reproduce

Run composer audit on main.

Proposed resolution

  1. Update PHPUnit to 11.5.50 on main, 11.x and 11.3.x.
  2. Update PHPUnit to 9.6.34 on 10.6.x.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3570133

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

kentr created an issue. See original summary.

kentr’s picture

kentr commented
Title: Update PHPUnit » PHPUnit security update
kentr’s picture

kentr commented
Issue summary: View changes
catch’s picture

catch
he/him
Primary language English
commented
Priority: Normal » Critical

This has been issued for all phpunit versions in our supported branches, so we should raise the constaint on main/11.x/11.3.x/10.6.x.

Once that's done, we can decide whether to also do that for 11.2 and 10.5 which are still in security support -nothing should stop people on those versions (or newer versions) updating phpunit themselves though.

Bumping to critical - partly because it's a security release, partly because the next patch release window is in 7 days and it would good to get it into those.

kentr opened merge request !14531

kentr’s picture

kentr commented
Status: Active » Needs review

The MR is a result of running composer update -W phpunit/phpunit.

smustgrave’s picture

smustgrave commented

Should it just be targeting phpunit?

kentr’s picture

kentr commented

@smustgrave

Should it just be targeting phpunit?

I don't know. I figured that would come out in the review process.

composer update phpunit/phpunit only updates to 11.5.46. AFAIK the security fix is in 11.5.50: https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50.

These do the same as above:

  • composer require --dev phpunit/phpunit:^11.5
  • composer require --dev phpunit/phpunit:^11

composer require --dev phpunit/phpunit:^11.5.50 throws errors:

  Problem 1
    - Root composer.json requires phpunit/phpunit ^11.5.50 -> satisfiable by phpunit/phpunit[11.5.50, 11.5.x-dev].
    - phpunit/phpunit[11.5.50, ..., 11.5.x-dev] require phpunit/php-code-coverage ^11.0.12 -> found phpunit/php-code-coverage[11.0.12, 11.0.x-dev] but the package is fixed to 11.0.11 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
  Problem 2
    - phpspec/prophecy-phpunit is locked to version v2.4.0 and an update of this package was not requested.
    - phpspec/prophecy-phpunit v2.4.0 requires phpunit/phpunit ^9.1 || ^10.1 || ^11.0 || ^12.0 -> satisfiable by phpunit/phpunit[11.5.50, 11.5.x-dev].
    - phpunit/phpunit[11.5.50, ..., 11.5.x-dev] require phpunit/php-code-coverage ^11.0.12 -> found phpunit/php-code-coverage[11.0.12, 11.0.x-dev] but the package is fixed to 11.0.11 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

I'll revert and let someone else do this.

kentr’s picture

kentr commented
Status: Needs review » Needs work

Reverted my last commit.

Needs input from someone more knowledgeable.

mondrake made their first commit to this issue’s fork.

mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Needs work » Needs review

I think you did the right thing @kentr. The other packages being updated are a must-do based on the constraints dependency hierarchy required to update PHPUnit itself.

Anyway, the steps I followed in the last commit were:

  1. composer update phpunit/phpunit -w
  2. update manually the constraint in composer.json (both in /core and in /core/tests/PHPStan) to "^11.5.50"
  3. composer update --lock
catch’s picture

catch
he/him
Primary language English
commented
Status: Needs review » Reviewed & tested by the community

Yes this looks right.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Version: main » 11.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Committed to main - needs new MRs for 11.x and 11.3.x - thanks folks

  • larowlan committed 290a6fb8 on main 
    task: #3570133 PHPUnit security update

By: kentr
By: catch
By:...

larowlan closed merge request !14531

dww made their first commit to this issue’s fork.

dww opened merge request !14631

dww opened merge request !14632

dww’s picture

dww
we/he/they
commented
Issue summary: View changes
Status: Patch (to be ported) » Needs review
Issue tags: +Security

@larowlan asked in Slack for someone to re-roll this for 11.x and 11.3.x.

No cherry-picking worked anywhere. 😅 Recreated on both branches like so:

  1. composer update -W phpunit/phpunit
  2. Edit composer.json to manually bump the phpunit requirement to "^11.5.50"
  3. composer update nothing (to regenerate the other touched files)
  4. Edit core/tests/PHPStan/composer.json to manually bump the phpunit requirement to "^11.5.50"

Opened MRs for both.

dww opened merge request !14633

dww’s picture

dww
we/he/they
commented
Issue summary: View changes

Also opened https://git.drupalcode.org/project/drupal/-/merge_requests/14633 for 10.6.x

https://advisories.gitlab.com/pkg/composer/phpunit/phpunit/CVE-2026-24765/ says "from 9.0.0 before 9.6.33..."

The composer.lock on 10.6.x says:

            "name": "phpunit/phpunit",
            "version": "9.6.29",

So seems prudent to upgrade there, too.

dww’s picture

dww
we/he/they
commented
Issue summary: View changes
mondrake’s picture

mondrake
Location 🇮🇹
commented
Status: Needs review » Reviewed & tested by the community

Looks good to me

catch closed merge request !14631

  • catch committed 89fa321f on 11.x 
    task: #3570133 PHPUnit security update

By: kentr
By: catch
By:...
catch’s picture

catch
he/him
Primary language English
commented
Version: 11.x-dev » 11.3.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Committed/pushed to 11.x, thanks!

Unfortunately needs another rebase for 11.3.x and 10.6.x after #3571196: Update symfony/process constraint.

  • catch committed c3361f75 on 11.3.x 
    task: #3570133 PHPUnit security update

By: kentr
By: catch
By:...
catch’s picture

catch
he/him
Primary language English
commented

No rebase required, just need to commit them in the opposite order, then they magically apply on top of each other.

  • catch committed ac069df1 on 10.6.x 
    task: #3570133 PHPUnit security update

By: kentr
By: catch
By:...
catch’s picture

catch
he/him
Primary language English
commented
Version: 11.3.x-dev » 10.6.x-dev
Status: Patch (to be ported) » Fixed

Yep that worked.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

catch closed merge request !14633

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.