Page MenuHomePhabricator
Create Task
Maniphest T411006

Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt
Closed, ResolvedPublic
Actions

Description

In this Gerrit change, Libraryupgrader tried to update js-yaml to 3.14.2, 4.1.1 in WikibaseQualityConstraints on the REL1_39 branch, in order to resolve CVE-2025-64718. However, gate-and-submit failed:

[27.0MiB/9.57s] Your requirements could not be resolved to an installable set of packages.
[27.0MiB/9.57s] 
  Problem 1
    - Root composer.json requires firebase/php-jwt ^5.2.0, found firebase/php-jwt[v5.2.0, v5.2.1, v5.3.0, v5.4.0, v5.5.0, v5.5.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-2kqm-ps5x-s4f5") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

[24.9MiB/9.57s] 
Update to apply merge settings failed, reverting ./composer.lock to its original content.

If I understand correctly, this is Composer 2.9’s Automatic Security Blocking at work – blocking us from fixing another vulnerability (in a separate package ecosystem). This seems hardly ideal.

(Note that the equivalent changes on REL1_43 and REL1_44 went through without issue – presumably those branches happen to already have a newer php-jwt version.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Upgrade firebase/php-jwtmediawiki/extensions/OAuthREL1_39+2 -2
Upgrade firebase/php-jwtmediawiki/extensions/ContentTranslationREL1_39+1 -1
Upgrade firebase/php-jwtmediawiki/extensions/CheckUserREL1_39+0 -0
Customize query in gerrit

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.Nov 25 2025, 11:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 25 2025, 11:13 AM
Lucas_Werkmeister_WMDE added a comment.Nov 25 2025, 11:16 AM

I’m filing this task mainly for awareness, so it’s visible beyond Gerrit comments on a single affected change. I guess on this particular change I’ll just add the advisory (on which I haven’t been able to find any details yet, btw) to the ignore config; I don’t know what we want to do about this issue beyond that.

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Nov 25 2025, 11:21 AM
Lucas_Werkmeister_WMDE added a comment.Nov 25 2025, 11:27 AM
In T411006#11404920, @Lucas_Werkmeister_WMDE wrote:

the advisory (on which I haven’t been able to find any details yet, btw)

Ah, it’s in the advisories section (which you find by following a “security” link – searching “advisories” on the main package page yields nothing). Apparently PKSA-2kqm-ps5x-s4f5 = GHSA-8xf4-w7qw-pjjw = CVE-2021-46743, because I guess one identifier wasn’t enough.

Given that WikibaseQualityConstraints doesn’t import this library and does nothing even remotely JWT-related, I think it’s reasonable to ignore the report in this context. (Presumably the library is pulled in by some other extension, perhaps OAuth or CentralAuth, which is still using the vulnerable version on the REL1_39 branch.)

Lucas_Werkmeister_WMDE added a comment.Nov 25 2025, 11:35 AM
In T411006#11404920, @Lucas_Werkmeister_WMDE wrote:

I guess on this particular change I’ll just add the advisory to the ignore config

Nope, doesn’t work (PS4, CI console with the same error as before). I’m guessing composer-merge-plugin doesn’t merge the config.audit.ignore section.

Lucas_Werkmeister_WMDE added a comment.Nov 25 2025, 1:54 PM

Upgrading firebase/php-jwt in CheckUser successfully fixes composer in WikibaseQualityConstraints (PS5); adding the config.audit.ignore to MediaWiki core’s composer.json also fixes WBQC (PS6). In either case, the build then fails for unrelated errors (T397006: WikibaseLexeme CI broken on REL1_39 branch). I think for WikibaseQualityConstraints on REL1_39, I’d leave it at that; fixing CI is nontrivial and neither of the known vulnerabilities affects WikibaseQualityConstraints or WikibaseLexeme meaningfully AFAICT. (Also, I’m guessing that upgrading php-jwt on REL1_39 just in CheckUser would be a bad idea – judging by T335288 and its subtasks, we’d want to upgrade it in CheckUser, ContentTranslation and OAuth at once, otherwise we might leave third-party 1.39 wikis that use all of those extensions stranded with a composer version conflict.)

Meanwhile, with regard to the general issue here, we’ve learned:

  • You can’t use config.audit.ignore in composer.json of an extension (or, presumably, skin) to bypass this error.
  • You can try to upgrade the dependency composer complains about; this, as you’d expect, fixes the error. Whether the upgrade is simple to do or not will vary.
  • Alternatively, you can use config.audit.ignore in composer.json of MediaWiki core to bypass this error, and then pull in that core change via Depends-On in the extension / skin.
hashar subscribed.Nov 25 2025, 2:36 PM

I have encountered that issue with ProofreadPage on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/1193873 and ended up pushing the change.

Maybe CheckUser @ REL1_39 could have firebase/php-jwt upgraded https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1211081 , then the upgrade was not backported possily cause the issue was not that severe. Given REL1_39 is end of life in a week, I would not bother.

hashar mentioned this in T335288: CVE-2021-46743: firebase/php-jwt Key/algorithm type confusion.Nov 25 2025, 2:37 PM
Jdforrester-WMF awarded a token.Nov 25 2025, 4:11 PM
Jdforrester-WMF subscribed.
SomeRandomDeveloper subscribed.Dec 15 2025, 11:16 PM
Tgr subscribed.Dec 16 2025, 9:32 PM

Same issue in OAuth (gerrit 1209458) which does in fact depend on firebase/php-jwt for security-critical functionality, but only for encoding JWTs, not for decoding them. So AIUI it's not affected by the vulnerability.

Same issue in TemplateStyles (gerrit 1210036) and CentralAuth (gerrit 1208002) as well, presumably through some dependency chain because neither uses the library.

Tgr added a project: MediaWiki-extensions-OAuth.Dec 16 2025, 9:33 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 16 2025, 9:33 PM
Tgr added a subscriber: Reedy.Dec 16 2025, 9:38 PM

Upgraded in rEOAUfb6a51e461b3: Update firebase/php-jwt and then in rEOAU60e7f826b97b: Upgrading firebase/php-jwt (v6.4.0 => v6.10.0). Seems straightforward to backport; fortunately the library has no dependencies, and I don't think we have anything else that depends on it.

Tgr added a comment.Dec 16 2025, 9:40 PM

ContentTranslation also depends on the old version.

Tgr claimed this task.Dec 16 2025, 9:41 PM
Tgr edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
Tgr moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
gerritbot added a comment.Dec 16 2025, 9:43 PM

Change #1218835 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@REL1_39] Upgrade firebase/php-jwt

https://gerrit.wikimedia.org/r/1218835

gerritbot added a project: Patch-For-Review.Dec 16 2025, 9:43 PM
Tgr added a comment.Dec 16 2025, 9:45 PM

6.4 requires PHP 7 but 6.0.0 has identical PHP requirements to 5.2 so upgrading to that in REL1_39 should do the trick.

gerritbot added a comment.Dec 16 2025, 9:53 PM

Change #1218836 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CheckUser@REL1_39] Upgrade firebase/php-jwt

https://gerrit.wikimedia.org/r/1218836

gerritbot added a comment.Dec 16 2025, 9:55 PM

Change #1218836 abandoned by Gergő Tisza:

[mediawiki/extensions/CheckUser@REL1_39] Upgrade firebase/php-jwt

Reason:

Already done in Ied289bf5738df2a5619a20ce3eb8866994705160

https://gerrit.wikimedia.org/r/1218836

gerritbot added a comment.Dec 16 2025, 9:57 PM

Change #1218840 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/ContentTranslation@REL1_39] Upgrade firebase/php-jwt

https://gerrit.wikimedia.org/r/1218840

gerritbot added a comment.Dec 18 2025, 1:37 AM

Change #1218840 merged by Bartosz Dziewoński:

[mediawiki/extensions/ContentTranslation@REL1_39] Upgrade firebase/php-jwt

https://gerrit.wikimedia.org/r/1218840

gerritbot added a comment.Dec 18 2025, 1:38 AM

Change #1218835 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_39] Upgrade firebase/php-jwt

https://gerrit.wikimedia.org/r/1218835

matmarex closed this task as Resolved.Dec 18 2025, 2:10 AM
Maintenance_bot removed a project: Patch-For-Review.Dec 18 2025, 2:30 AM
Lucas_Werkmeister_WMDE added a comment.Dec 18 2025, 1:25 PM

FWIW, I’m not convinced that the general problem of unwise Composer behavior breaking LibUp upgrades is resolved.

Tgr added a comment.Dec 18 2025, 1:56 PM

There should probably be a task about that then?
(Although adding to config.audit.ignore in core as per T411006#11405392 seems like a fully generic solution to me, we just ended up not doing that here.)

A_smart_kitten mentioned this in T415723: CI blocked from installing phpunit by CVE-2026-24765.Jan 27 2026, 10:55 PM
A_smart_kitten subscribed.Jan 27 2026, 11:16 PM
A_smart_kitten mentioned this in T415834: CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows.Jan 28 2026, 9:49 PM
taavi mentioned this in T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working.Feb 4 2026, 7:58 PM
taavi subscribed.
In T411006#11472885, @Tgr wrote:

There should probably be a task about that then?

This is now T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits