我目前使用 Laravel 10,它通过“Laravel/Passport”处理 OAuth2。不幸的是,存在一个漏洞,因此我需要更新我的依赖项。
漏洞详情请参阅:https://github.com/CarlsonBuma/Laravel-Quasar-Authsystem/security/dependabot/3
当前消息: “发现 1 个影响 1 个软件包的安全漏洞公告”
+-------------------+----------------------------------------------------------------------------------+
| Package | league/oauth2-server |
| CVE | CVE-2023-37260 |
| Title | league/oauth2-server key exposed in exception message when passing as a string a |
| | nd providing an invalid pass phrase |
| URL | https://github.com/advisories/GHSA-wj7q-gjg8-3cpm |
| Affected versions | >=8.3.2,<8.5.3 |
| Reported at | 2023-07-06T21:07:27+00:00 |
+-------------------+----------------------------------------------------------------------------------+
问题 我无法相应地更新依赖项...
设置
composer.lock
"require": {
"league/oauth2-server": "^8.2", // Update to 8.5
},
composer.json
"require": {
"php": "^8.0.2",
"guzzlehttp/guzzle": "^7.2",
"laravel/framework": "^10.0",
"laravel/passport": "^11.8",
"laravel/tinker": "^2.7"
},
我试过: “Composer更新”(删除composer.lock文件)“league/oauth2-server”的版本保持不变。
寻找 我需要在 Laravel 10 中更新此依赖项。为什么当前版本保持不变?