|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (13 fixed, 14 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (14 fixed, 13 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -815,6 +815,17 @@
|
|
|
drift here is critical. Tighten to `^1.0.2 || ^2.0` after testing
|
|
|
and run `composer audit` regularly.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `f66ceaf`. `ui/composer.json` now requires
|
|
|
+ `jumbojett/openid-connect-php: "^1.0.2 || ^2.0"`, excluding the
|
|
|
+ pre-1.0.2 versions that carry the iss-confusion advisory while still
|
|
|
+ permitting an upgrade path to a future v2.x line. The `composer.lock`
|
|
|
+ was regenerated against the new constraint (still resolves to v1.0.2,
|
|
|
+ the latest published release) and `ui` regression tests pass
|
|
|
+ unchanged. The "run `composer audit` regularly" half of the
|
|
|
+ recommendation was already in place: `scripts/ci.sh` invokes
|
|
|
+ `composer audit --no-dev` for both `api` and `ui` on every CI run
|
|
|
+ (lines 84-85 and 109-110), so any future advisory against the locked
|
|
|
+ version fails the build.
|
|
|
|
|
|
### F24 — UI CSP allows `script-src 'unsafe-inline' 'unsafe-eval'`
|
|
|
- **File:** `ui/docker/Caddyfile:33`
|
chiappa