Problem/Motivation

Composer update:

    - Root composer.json requires drupal/commerce_paypal ^2.1 -> satisfiable by drupal/commerce_paypal[2.1.0].
    - drupal/commerce_paypal 2.1.0 requires sainsburys/guzzle-oauth2-plugin ^3.0 -> satisfiable by sainsburys/guzzle-oauth2-plugin[v3.0.0, ..., v3.0.7].
    - sainsburys/guzzle-oauth2-plugin[v3.0.0, ..., v3.0.1] require firebase/php-jwt ~3.0 -> found firebase/php-jwt[v3.0.0] but these were not loaded, because they are affected by security advisories ("PKSA-y2cr-5h3j-g3ys", "PKSA-2kqm-ps5x-s4f5"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
...
    - sainsburys/guzzle-oauth2-plugin[v3.0.6, ..., v3.0.7] require firebase/php-jwt ^3.0|^4.0|^5.0|^6.0 -> found firebase/php-jwt[v3.0.0, v4.0.0, v5.0.0, ..., v5.5.1, v6.0.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories ("PKSA-y2cr-5h3j-g3ys", "PKSA-2kqm-ps5x-s4f5"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Looks like we need to update to firebase/php-jwt version 7 to avoid these security advisories...

Issue fork commerce_paypal-3574338

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

fonant created an issue. See original summary.

rszrama’s picture

rszrama commented
Component: ------------------ » PayPal Checkout
Category: Bug report » Task

Easier said than done. Not a bug report in Commerce PayPal, though. Recategorizing, and in the meantime, if you want to, you can review the SAs and add an audit exception to your composer.json:

        "audit": {
            "ignore": ["PKSA-y2cr-5h3j-g3ys", "PKSA-2kqm-ps5x-s4f5"]
        }
fonant’s picture

fonant commented

This can be done quickly from the composer command line:

composer config --merge audit.ignore PKSA-y2cr-5h3j-g3ys PKSA-2kqm-ps5x-s4f5

The --merge is needed if you have any audit.ignore entries already.

tbkot made their first commit to this issue’s fork.

tbkot opened merge request !58

tbkot’s picture

tbkot commented
Status: Active » Needs review
jsacksick’s picture

jsacksick commented

I'm just concerned that we're removing a method from an interface that's public which is a breaking change, there could be custom code calling the getAccessToken() method from the SDK... That'd be my main concern...

tbkot’s picture

tbkot commented

@jsacksick I've marked it as deprecated so we can remove it later.

ibis’s picture

ibis commented

MR !58 seems ok for me in test environment.

  • jsacksick committed d0ffe850 on 2.x authored by tbkot 
    feat: #3574338 Composer: firebase/php-jwt not loaded because of security...
jsacksick’s picture

jsacksick commented
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

tbkot opened merge request !60

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.