The module currently requires firebase/php-jwt ^6.10, which is outdated. Version 6 is no longer receiving security updates, and composer audit flags it as a dependency that should be upgraded. Version 7 of firebase/php-jwt introduces key size validation and other security hardening improvements.
Install the module and run composer audit
Observe that firebase/php-jwt v6 is flagged
Update the firebase/php-jwt constraint in composer.json from ^6.10 to ^7.0.
The module's existing code in NotificationsTokenService is already fully compatible with v7:
JWT::decode() already uses the new Key($secret, 'HS256') pattern introduced as required in v7
JWT::encode() signature is unchanged between v6 and v7
The module uses HS256, which is not affected by the new minimum key size enforcement (which only applies to RSA/EC keys)
The module already requires Drupal 10/11, meaning PHP 8.0+ is guaranteed, satisfying the new v7 PHP requirement
No code changes are needed — only the composer constraint needs to be loosened.
Update composer.json constraint from ^6.10 to ^7.0
Verify tests pass against firebase/php-jwt v7
None.
None.
None.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 3588028-3.patch | 661 bytes | martijn de wit |
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes, plain diff MR !18
Comments
Comment #3
martijn de witAlso a patch.
Comment #5
sbrandt commentedThank so much for picking this up! There's already an open MR regarding this issue which currently awaits review from a (co)-maintainer:
https://git.drupalcode.org/project/de_notifications/-/merge_requests/17
With the update of the firebase dependency, it is now required to use a longer secret, so having a too short secret might break functionality on affected sites. Therefore, we might need to release the fix as a new major release.
Comment #6
sbrandt commentedThis issue has been fixed in the new major release version 2.0.0.
Comment #8
sbrandt commented