[12.x] Update phpunit version constraints to address CVE#58526

PerryvanderMeer · 2026-01-28T09:05:13Z

GrahamCampbell

This is not necessary. The vulnerability does not affect our code-paths in CI and we do want to test the earlier versions of PHPUnit for compatibility.

GrahamCampbell · 2026-01-28T09:41:53Z

@crynobone is probably the best person to decide what to do with this (aka whether we would rather stop testing PHPUnit 12.2 and only test the latest version of 12.x).

crynobone · 2026-01-28T10:52:22Z

This is unnecessary

crynobone · 2026-01-28T10:54:01Z

Also, latest Composer doesn't install package with known vulnerability unless explicitly stated via composer.json audit configuration. e.g:

    "config": {
        "audit": {
            "block-insecure": false
        }
    }

This reverts commit 3cd17ce.

…#58542) This reverts commit 3cd17ce.

Update phpunit version constraints in composer.json

1852f02

PerryvanderMeer changed the title ~~Update phpunit version constraints to address CVE~~ [12.x] Update phpunit version constraints to address CVE Jan 28, 2026

GrahamCampbell requested changes Jan 28, 2026

View reviewed changes

taylorotwell merged commit 3cd17ce into laravel:12.x Jan 29, 2026
22 of 72 checks passed

crynobone added a commit that referenced this pull request Jan 29, 2026

Revert "Update phpunit version constraints in composer.json (#58526)"

3af124c

This reverts commit 3cd17ce.

crynobone mentioned this pull request Jan 29, 2026

Revert "[12.x] Update phpunit version constraints to address CVE" #58542

Merged

taylorotwell pushed a commit that referenced this pull request Jan 30, 2026

Revert "Update phpunit version constraints in composer.json (#58526)" (…

153986e

…#58542) This reverts commit 3cd17ce.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[12.x] Update phpunit version constraints to address CVE#58526