I got the following error when trying to do composer install --no-progress
within deployment:
1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.0.7)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
Following this link provided in my error: https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient
It navigates me to the following github link here: https://github.com/symfony/symfony/commit/ba3975329149cddebfe969f70b2577b0e37d1e76
What does that mean for local development and the fix associated to it? I tried following the link: src/Symfony/Component/HttpClient/Tests/CachingHttpClientTest.php
My project doesn't have that link
So how do I fix this issue? How does one update issues that come up moving forward? I'm using a mac set up.
The best way to move forward is to update to a later Symfony version. 5.0 is not maintained anymore, you can use 5.1 or 5.2. If you are not the one responsible for updating dependencies on the project, you may want to report this to the person who is.
If you look at the page linked in the error itself (https://symfony.com/cve-2020-15094) you can read:
The issue has been fixed in Symfony 4.4.13 and 5.1.5. Symfony 4.3 and 5.0 won't be patched as they are not maintained anymore.
To update Symfony you can follow this link: https://symfony.com/doc/current/setup/upgrade_minor.html
Ok that makes a lot of sense. Thank you for the great help!