Skip to content

Update firebase/php-jwt to ^7.0 (security fix)#456

Merged
lizkenyon merged 1 commit intomainfrom
update-firebase-jwt
Mar 2, 2026
Merged

Update firebase/php-jwt to ^7.0 (security fix)#456
lizkenyon merged 1 commit intomainfrom
update-firebase-jwt

Conversation

@lizkenyon
Copy link
Contributor

@lizkenyon lizkenyon commented Feb 27, 2026

Summary

  • Updates firebase/php-jwt from ^5.2 || ^6.2 to ^7.0 to address security vulnerability GHSA-2x45-7fc3-mxwq (CVE-2025-45769, CVSS 7.3 — weak encryption)
  • Updates test secret keys to meet v7's minimum 32-byte HMAC key requirement and recalculates all dependent HMAC fixtures
  • No production code changes required — only the dependency constraint and test fixtures are affected

Context

firebase/php-jwt v7 enforces minimum key sizes for HMAC algorithms (32 bytes for HS256). Shopify API secrets are always >= 32 characters (legacy format: 32 hex chars, new format: shpss_ + 32 chars = 38 chars), so no real users are affected by this enforcement. The test suite used short mock secrets ('steffi', 'rocky') which needed updating.

Closes #454

Test plan

  • All 221 tests pass (1 skipped: APCu extension test, pre-existing)
  • Linter passes clean
  • CI passes

🤖 Generated with Claude Code

@lizkenyon @claude
Update firebase/php-jwt to ^7.0 to fix security vulnerability
4a144a8 
Resolves #454. The firebase/php-jwt ^5.2 || ^6.2 constraint is affected
by security advisory GHSA-2x45-7fc3-mxwq (CVE-2025-45769), which
prevents Composer from installing the library without warnings.

- Update firebase/php-jwt constraint to ^7.0
- Regenerate composer.lock on PHP 8.1 to maintain compatibility
- Update test secrets to meet v7 minimum HMAC key size (32 bytes)
- Extract test secrets into named constants for readability
- Fix broken packagist link in README

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lizkenyon lizkenyon force-pushed the update-firebase-jwt branch from b420cab to 4a144a8 Compare March 2, 2026 15:29
byrichardpowell
byrichardpowell approved these changes Mar 2, 2026
View reviewed changes
Copy link
Contributor

@byrichardpowell byrichardpowell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@lizkenyon lizkenyon merged commit 6eb1a25 into main Mar 2, 2026
7 checks passed
@lizkenyon lizkenyon deleted the update-firebase-jwt branch March 2, 2026 15:52
@kylemilloy kylemilloy mentioned this pull request Mar 2, 2026
Closed
6 tasks
@kylemilloy
Copy link

kylemilloy commented Mar 3, 2026

Thank you for expediting this. Much appreciated 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@byrichardpowell byrichardpowell byrichardpowell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Package affected by PHP-JWT vulnerability

3 participants

@lizkenyon @kylemilloy @byrichardpowell