Require patched PHPUnit versions to fix CVE (unsafe deserialization in PHPT test runner)

erusev · erusev · commit 7b577b82ca92 · 2026-02-18T17:32:12.000+02:00
Updates PHPUnit constraints to require patched versions while maintaining PHP 7.1 support:
- PHPUnit 7.5+ (for PHP 7.1 compatibility; not mentioned in CVE, likely unaffected or EOL)
- PHPUnit 8.5.52+ (was 8.5.x; requires PHP 7.2+)
- PHPUnit 9.6.33+ (was 9.6.x; requires PHP 7.3+)

Vulnerability affects: &lt;= 8.5.51, &lt;= 9.6.32, &lt;= 10.5.61, &lt;= 11.5.49, &lt;= 12.5.7
diff --git a/composer.json b/composer.json
@@ -17,7 +17,7 @@
         "ext-mbstring": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^7.5|^8.5|^9.6"
+        "phpunit/phpunit": "^7.5|^8.5.52|^9.6.33"
     },
     "autoload": {
         "psr-0": {"Parsedown": ""}
