Skip to content

chore(deps): bump guzzle to 7.12.1 and psr7 to 2.12.1 for security advisories#23392

Merged
enricobattocchi merged 1 commit into
trunkfrom
fix-guzzle-psr7-security-advisories
Jun 23, 2026
Merged

chore(deps): bump guzzle to 7.12.1 and psr7 to 2.12.1 for security advisories#23392
enricobattocchi merged 1 commit into
trunkfrom
fix-guzzle-psr7-security-advisories

Conversation

@enricobattocchi

Copy link
Copy Markdown
Member

Context

The Security Check CI job (Symfony's security checker, which scans composer.lock against the published advisory database) started failing because new security advisories were published against the versions we had pinned. guzzlehttp/guzzle 7.10.0 is flagged for CVE-2026-55568 (HTTPS proxy silently downgraded to cleartext) and CVE-2026-55767 (dot-only cookie domains matching all hosts), and the transitive guzzlehttp/psr7 2.8.0 is flagged for CVE-2026-48998, CVE-2026-49214 and CVE-2026-55766 (host confusion and CRLF injection). Both libraries are prefixed into vendor_prefixed/ and ship with the plugin, so moving them to patched releases is the fix.

Summary

This PR can be summarized in the following changelog entry:

  • Updates the guzzlehttp/guzzle and guzzlehttp/psr7 dependencies to patched releases that address known security advisories.

Relevant technical choices:

  • Bumped the hard pin in composer.json from guzzlehttp/guzzle: 7.10.0 to 7.12.1, the latest patched stable release, matching the existing exact-version pin style of the other dev dependencies.
  • guzzlehttp/psr7 is a transitive dependency, so it was raised to 2.12.1 by running composer update guzzlehttp/guzzle guzzlehttp/psr7 --with-dependencies. As a side effect of resolution, guzzlehttp/promises moved to 2.5.0 and symfony/polyfill-php80 to v1.37.0; neither has open advisories.
  • vendor_prefixed/ is gitignored and rebuilt by the pipeline, so only composer.json and composer.lock change here.
  • composer check-branch-cs and composer lint-branch are clean (no PHP source changed). The unit suite passes; one unrelated time/order-dependent activation-cleanup scheduling test flaked in a single full-suite run but passes in isolation on this branch and in a full run on a clean trunk, so it is not caused by this change.

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

  • Confirm the "Security check" job on this PR (and any re-run of it) reports green instead of listing guzzle/psr7 vulnerabilities.
  • In composer.lock, confirm guzzlehttp/guzzle resolves to 7.12.1 and guzzlehttp/psr7 to 2.12.1.
  • Run a feature that performs outgoing connections (for example connecting Google Search Console / Site Kit, or any flow that uses the OAuth client) and confirm it still authenticates and fetches data as before.

Relevant test scenarios

  • Changes should be tested with the browser console open
  • Changes should be tested on different posts/pages/taxonomies/custom post types/custom taxonomies
  • Changes should be tested on different editors (Default Block/Gutenberg/Classic/Elementor/other)
  • Changes should be tested on different browsers
  • Changes should be tested on multisite

Test instructions for QA when the code is in the RC

  • QA should use the same steps as above.

QA can test this PR by following these steps:

Impact check

This PR affects the following parts of the plugin, which may require extra testing:

  • Any feature that makes outgoing HTTP requests through the prefixed Guzzle client, in particular the OAuth-based connections (Google Search Console / Site Kit and similar external integrations).

Other environments

  • This PR also affects Shopify. I have added a changelog entry starting with [shopify-seo], added test instructions for Shopify and attached the Shopify label to this PR.
  • This PR also affects Yoast SEO for Google Docs. I have added a changelog entry starting with [yoast-doc-extension], added test instructions for Yoast SEO for Google Docs and attached the Google Docs Add-on label to this PR.

Documentation

  • I have written documentation for this change. For example, comments in the Relevant technical choices, comments in the code, documentation on Confluence / shared Google Drive / Yoast developer portal, or other.

Quality assurance

  • I have tested this code to the best of my abilities.
  • During testing, I had activated all plugins that Yoast SEO provides integrations for.
  • I have added unit tests to verify the code works as intended.
  • If any part of the code is behind a feature flag, my test instructions also cover cases where the feature flag is switched off.
  • I have written this PR in accordance with my team's definition of done.
  • I have checked that the base branch is correctly set.
  • I have run grunt build:images and committed the results, if my PR introduces or edits images or SVGs.

Innovation

  • No innovation project is applicable for this PR.
  • This PR falls under an innovation project. I have attached the innovation label.
  • I have added my hours to the WBSO document.

Fixes #

Resolves security advisories failing the Security Check CI job:
- guzzle: CVE-2026-55568, CVE-2026-55767
- psr7: CVE-2026-48998, CVE-2026-49214, CVE-2026-55766

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@private-packagist

Copy link
Copy Markdown

composer.lock

Dev Package changes

Package Operation From To About
guzzlehttp/guzzle upgrade 7.10.0 ⚠️ 7.12.1 ✅ diff
guzzlehttp/promises upgrade 2.3.0 2.5.0 diff
guzzlehttp/psr7 upgrade 2.8.0 ⚠️ 2.12.1 ✅ diff
symfony/polyfill-php80 upgrade v1.33.0 v1.37.0 diff

Settings · Docs · Powered by Private Packagist

@enricobattocchi enricobattocchi added the changelog: other Needs to be included in the 'Other' category in the changelog label Jun 22, 2026
@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 78708

Coverage decreased (-0.5%) to 53.324%

Details

  • Coverage decreased (-0.5%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 67846
Covered Lines: 35943
Line Coverage: 52.98%
Relevant Branches: 16664
Covered Branches: 9121
Branch Coverage: 54.73%
Branches in Coverage %: Yes
Coverage Strength: 44356.04 hits per line

💛 - Coveralls

@enricobattocchi enricobattocchi added changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog changelog: other Needs to be included in the 'Other' category in the changelog and removed changelog: other Needs to be included in the 'Other' category in the changelog changelog: non-user-facing Needs to be included in the 'Non-userfacing' category in the changelog labels Jun 22, 2026
@enricobattocchi enricobattocchi added this to the 28.0 milestone Jun 23, 2026
@enricobattocchi enricobattocchi merged commit 9fe14cc into trunk Jun 23, 2026
33 of 34 checks passed
@enricobattocchi enricobattocchi deleted the fix-guzzle-psr7-security-advisories branch June 23, 2026 07:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog: other Needs to be included in the 'Other' category in the changelog

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants