Fix PHPUnit vulnerability: unsafe deserialization in PHPT test runner

erusev · erusev · commit 4e433a8d5707 · 2026-02-18T17:50:20.000+02:00
Security alert for CVE affecting PHPUnit cleanupForCoverage() method.
Vulnerable versions: &lt;= 8.5.51, &lt;= 9.6.32, &lt;= 10.5.61, &lt;= 11.5.49, &lt;= 12.5.7

Required dropping PHP 7.1 support (EOL since Dec 2019) to use patched PHPUnit versions.

Changes:
- Minimum PHP version: 7.2+ (was 7.1+)
- PHPUnit: 8.5.52+ or 9.6.33+ (was 7.5, 8.5.x, or 9.6.x)
- Removed PHP 7.1 from CI matrix
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -9,7 +9,6 @@ jobs:
         strategy:
             matrix:
                 php:
-                    - '7.1'
                     - '7.2'
                     - '7.3'
                     - '7.4'
diff --git a/composer.json b/composer.json
@@ -13,14 +13,14 @@
         }
     ],
     "require": {
-        "php": ">=7.1",
+        "php": ">=7.2",
         "ext-mbstring": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^7.5|^8.5|^9.6"
+        "phpunit/phpunit": "^8.5.52|^9.6.33"
     },
     "autoload": {
-        "psr-0": {"Parsedown": ""}
+        "psr-0": { "Parsedown": "" }
     },
     "autoload-dev": {
         "psr-0": {

-Original file line number
+Diff line change
         strategy:
             matrix:
                 php:
 -                    - '7.1'
                     - '7.2'
                     - '7.3'
                     - '7.4'