Page MenuHomePhabricator
Create Task
Maniphest T423763

phpunit PKSA-5jz8-6tcw-pbk4 breaks CI
Closed, ResolvedPublic
Actions

Description

In Parsoid repository, any CI job fails with:

- Root composer.json requires phpunit/phpunit 10.5.62 (exact version match: 10.5.62 or 10.5.62.0), found phpunit/phpunit[10.5.62] but these were not loaded, because they are affected by security advisories ("PKSA-5jz8-6tcw-pbk4"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

https://integration.wikimedia.org/ci/job/quibble-vendor-mysql-php83/65661/console

In core repository, any CI job fails with:

- Root composer.json requires phpunit/phpunit 9.6.34 (exact version match: 9.6.34 or 9.6.34.0), found phpunit/phpunit[9.6.34] but these were not loaded, because they are affected by security advisories ("PKSA-5jz8-6tcw-pbk4"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

https://integration.wikimedia.org/ci/job/quibble-for-mediawiki-core-composertest-only-php83/10069/console

This is annoying because the only fixes in https://github.com/advisories/GHSA-qrr6-mg7r-m243 for this are for phpunit 12.5.22 and 13.1.6 and we're still using phpunit 9 and 10. In fact, we don't really have a plan for covers-validator past PHP 11 or 12: https://github.com/oradwell/covers-validator/issues/44

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Update phpunit to 10.5.63mediawiki/services/parsoidmaster+1 -1
Bump wikimedia/parsoid to 0.23.0-a28mediawiki/vendorwmf/1.46.0-wmf.24+1 K -1 K
Bump wikimedia/parsoid to 0.23.0-a28mediawiki/vendormaster+1 K -1 K
Customize query in gerrit

Related Objects

Event Timeline

cscott created this task.Apr 18 2026, 4:04 AM
Restricted Application added a project: Continuous-Integration-Infrastructure. · View Herald TranscriptApr 18 2026, 4:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Apr 18 2026, 4:07 AM

Change #1274426 had a related patch set uploaded (by C. Scott Ananian; author: C. Scott Ananian):

[mediawiki/services/parsoid@master] Update phpunit to 10.5.63

https://gerrit.wikimedia.org/r/1274426

gerritbot added a project: Patch-For-Review.Apr 18 2026, 4:07 AM
cscott added a project: Parsoid.Apr 18 2026, 4:18 AM
cscott updated the task description. (Show Details)
Nikerabbit subscribed.Apr 18 2026, 12:50 PM
A_smart_kitten edited projects, added MediaWiki-General, ci-test-error (WMF-deployed Build Failure); removed MediaWiki-Vendor, Jenkins, Continuous-Integration-Infrastructure.EditedApr 18 2026, 1:34 PM
A_smart_kitten subscribed.

Maybe this vulnerability might not actually affect PHPUnit 9/10/11, and this just might be an issue with how GitHub has currently published it?
Copying from the comment at https://github.com/sebastianbergmann/phpunit/pull/6592#issuecomment-4273267026:

Will a new release be done for PHPUnit 11 too with this security fix?

PHPUnit 11 is not affected. Only PHPUnit 12.5.21 and PHPUnit 13.1.5 are affected.

Please see https://github.com/github/advisory-database/pull/7430.

Judging by https://github.com/sebastianbergmann/phpunit/pull/6592#issuecomment-4273427938, it seems like this may have been resolved on the CI side of things by this PR to FriendsOfPHP/security-advisories.

Then again, how come this caused CI builds for mediawiki/core to fail? I thought that this behaviour was meant to have been disabled in T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working? (Am I misunderstanding something about that task?)

A_smart_kitten closed this task as Resolved.Apr 18 2026, 1:49 PM

I'm going to boldly resolve this, as CI now passes for https://gerrit.wikimedia.org/r/1274426 (in Parsoid) & https://gerrit.wikimedia.org/r/1274436 (in MW Core).
It's still currently unclear to me why this caused CI builds to fail for Core, though, given the patch merged in T416518.

A_smart_kitten mentioned this in T416518: Disable Composer 2.9 functionality to randomly block existing configurations from working.Apr 18 2026, 1:50 PM
gerritbot added a comment.Apr 18 2026, 3:18 PM

Change #1274426 merged by jenkins-bot:

[mediawiki/services/parsoid@master] Update phpunit to 10.5.63

https://gerrit.wikimedia.org/r/1274426

A_smart_kitten removed a project: Patch-For-Review.Apr 18 2026, 7:40 PM
gerritbot added a comment.Apr 20 2026, 4:43 PM

Change #1275470 had a related patch set uploaded (by OSleger; author: OSleger):

[mediawiki/vendor@master] Bump wikimedia/parsoid to 0.23.0-a28

https://gerrit.wikimedia.org/r/1275470

gerritbot added a project: Patch-For-Review.Apr 20 2026, 4:43 PM
gerritbot added a comment.Apr 20 2026, 10:09 PM

Change #1275470 merged by jenkins-bot:

[mediawiki/vendor@master] Bump wikimedia/parsoid to 0.23.0-a28

https://gerrit.wikimedia.org/r/1275470

gerritbot added a comment.Apr 20 2026, 10:24 PM

Change #1275541 had a related patch set uploaded (by C. Scott Ananian; author: OSleger):

[mediawiki/vendor@wmf/1.46.0-wmf.24] Bump wikimedia/parsoid to 0.23.0-a28

https://gerrit.wikimedia.org/r/1275541

gerritbot added a comment.Apr 21 2026, 2:05 PM

Change #1275541 merged by jenkins-bot:

[mediawiki/vendor@wmf/1.46.0-wmf.24] Bump wikimedia/parsoid to 0.23.0-a28

https://gerrit.wikimedia.org/r/1275541

Stashbot mentioned this in T420102: Special:LintTemplateErrors shows parser functions without context.Apr 21 2026, 2:09 PM
Stashbot mentioned this in T423192: Galleries on Parsoid don't support data attributes.

Mentioned in SAL (#wikimedia-operations) [2026-04-21T14:09:44Z] <cscott@deploy1003> Started scap sync-world: Backport for [[gerrit:1275541|Bump wikimedia/parsoid to 0.23.0-a28 (T420102 T421680 T422879 T422966 T423192 T423763 T423662)]], [[gerrit:1275542|Bump wikimedia/parsoid to 0.23.0-a28 (T423662)]], [[gerrit:1275560|[tests] add ParsoidLanguageConverterTest]], [[gerrit:1275561|ParsoidLanguageConverter: update lang/dir on content wrapper div (T423747)]]

Stashbot mentioned this in T423747: Parsoid LanguageConverter sets top level `lang` and `dir` attributes to the base language not the variant.Apr 21 2026, 2:10 PM
Stashbot mentioned this in T423662: CTT tasks week of 2026-04-17.
Stashbot mentioned this in T422966: Parsoid tokenizer doesn't allow table or list markup inside language conversion brackets.

Mentioned in SAL (#wikimedia-operations) [2026-04-21T14:11:25Z] <cscott@deploy1003> cscott: Backport for [[gerrit:1275541|Bump wikimedia/parsoid to 0.23.0-a28 (T420102 T421680 T422879 T422966 T423192 T423763 T423662)]], [[gerrit:1275542|Bump wikimedia/parsoid to 0.23.0-a28 (T423662)]], [[gerrit:1275560|[tests] add ParsoidLanguageConverterTest]], [[gerrit:1275561|ParsoidLanguageConverter: update lang/dir on content wrapper div (T423747)]] synced to the testservers (see https://wikit

Stashbot added a comment.Apr 21 2026, 2:22 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-21T14:22:46Z] <cscott@deploy1003> Finished scap sync-world: Backport for [[gerrit:1275541|Bump wikimedia/parsoid to 0.23.0-a28 (T420102 T421680 T422879 T422966 T423192 T423763 T423662)]], [[gerrit:1275542|Bump wikimedia/parsoid to 0.23.0-a28 (T423662)]], [[gerrit:1275560|[tests] add ParsoidLanguageConverterTest]], [[gerrit:1275561|ParsoidLanguageConverter: update lang/dir on content wrapper div (T423747)]] (duration: 13m 02s)

A_smart_kitten removed a project: Patch-For-Review.Apr 21 2026, 2:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits