Possible security vulnerability: Increase firebase/php-jwt > 6.11.1

Workaround:

I asked Google Gemini about this: I couldn't fetch the Salesforce module with composer, because composer reported an error.

I pasted my terminal text, with the error, into Gemini, and Gemini replied with this solution:

ddev composer config audit.ignore PKSA-y2cr-5h3j-g3ys PKSA-2kqm-ps5x-s4f5
ddev composer require 'drupal/salesforce:^5.1' -W

which worked: the fetch of the module proceeded without error.

Gemini told me that the ignore is stored in the composer.json, which it is. So the ignore is correctly localised to the project and not global - which wouldn't be a good idea to ignore it for other projects without thinking about the implications for them.

I'm open to suggestions and updates that supersede this workaround, of course!

For reference, here is the error I saw, which I gave to Gemini to solve:

robdaviswork@192 drupal-salesforce-integration-demo % ddev composer require 'drupal/salesforce:^5.1'         

./composer.json has been updated

Running composer update drupal/salesforce

Loading composer repositories with package information

Updating dependencies

Your requirements could not be resolved to an installable set of packages.

  Problem 1

    - Root composer.json requires drupal/salesforce ^5.1 -> satisfiable by drupal/salesforce[5.1.0, 5.1.1, 5.1.2].

    - drupal/salesforce 5.1.0 requires drupal/core ^10.1 -> found drupal/core[10.1.0, ..., 10.6.3] but the package is fixed to 11.3.3 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.

    - drupal/salesforce[5.1.1, ..., 5.1.2] require firebase/php-jwt ^5.0 || ^6.0 -> found firebase/php-jwt[v5.0.0, ..., v5.5.1, v6.0.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories ("PKSA-y2cr-5h3j-g3ys", "PKSA-2kqm-ps5x-s4f5"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.
Composer [require drupal/salesforce:^5.1] failed, composer command failed: exit status 2. stderr=
robdaviswork@192 drupal-salesforce-integration-demo %

Thank you for the report, but security issue should not be reported to the public issue queue.

Please refer to https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/reporting-a-security-issue for proper security issue reporting procedure.

I'm not sure the best way to proceed, now that the issue is here.
I've contacted the security team to advise on how to move forward.

The comment in #4 indicates it was cleared by the security team to remain public

Yes, I see that now.
Thanks for the MR.

Merged, and will cut a new release soon.

Any chance we can get a release with this rolled in? Without manually adding a "config audit ignore" to composer.json, its preventing composer from updating at all. Seems crazy to prevent all the other modules and core from receiving updates because one dependency is insecure, when the already installed dependency is ALSO insecure... but I guess that's what Composer devs thought was a good idea and here we are. Updated release please?

the fix is in 5.1.x-dev, which you can install now with composer.

I've got that deployed to a couple client projects and will gradually be pushing out to more.

If those instances do ok and don't need further adjustments, i will cut a new release.

You may also want to update the composer.json found in modules/salesforce_jwt, just for completeness.

Yes, jwt submodule has also been updated in 5.1.x
https://git.drupalcode.org/project/salesforce/-/commit/58c3ff48468ca4c58...