Fix CVE-2025-45769 and unblock CI

git-wright · git-wright · commit 41c8cf597523 · 2026-02-26T11:25:37.000-05:00
- Bump firebase/php-jwt from ^6.0 to ^7.0 to address CVE-2025-45769 (GHSA-2x45-7fc3-mxwq, CWE-326 inadequate encryption strength). v6.x accepts arbitrarily short HMAC keys; v7.0 enforces minimum key length and rejects weak secrets. - Bump doctrine/instantiator from 1.4.0 to ^1.5.0 to resolve a pre-existing dev dependency conflict that caused the prefer-lowest CI job to fail at dependency resolution before any tests could run. Closes #48. Co-authored-by: atymic <atymic@users.noreply.github.com>
diff --git a/composer.json b/composer.json
@@ -11,7 +11,7 @@
     "require-dev": {
         "phpunit/phpunit": "^9.0",
         "symfony/yaml": "^5.0 || ^6.0",
-        "doctrine/instantiator": "1.4.0",
+        "doctrine/instantiator": "^1.5.0",
         "overtrue/phplint": "^4.0 || ^5.0"
     },
     "autoload": {
