feat: add Saloon v4 support (CVE-2026-33182, CVE-2026-33183)

ClawdBot · ClawdBot · commit 6bff4ff490ca · 2026-03-26T21:13:17.000Z
- Update saloonphp/saloon constraint to ^3.10|^4.0
- Update pagination-plugin to ^2.2|^2.3 and rate-limit-plugin to ^2.0|^2.5
- Fix Administrations endpoints: use relative paths instead of absolute
  URLs (absolute URLs are blocked in Saloon v4 to prevent SSRF)
diff --git a/composer.json b/composer.json
@@ -22,9 +22,9 @@
         "php": "^8.2",
         "guzzlehttp/guzzle": "^7.9",
         "kelunik/link-header-rfc5988": "^1.0",
-        "saloonphp/pagination-plugin": "^2.2",
-        "saloonphp/rate-limit-plugin": "^2.0",
-        "saloonphp/saloon": "^3.10"
+        "saloonphp/pagination-plugin": "^2.2|^2.3",
+        "saloonphp/rate-limit-plugin": "^2.0|^2.5",
+        "saloonphp/saloon": "^3.10|^4.0"
     },
     "require-dev": {
         "laravel/pint": "^1.17",
diff --git a/src/Api/Administrations/GetAdministrationRequest.php b/src/Api/Administrations/GetAdministrationRequest.php
@@ -16,12 +16,12 @@ public function __construct(
     }
 
     /**
-     * Returns the full URL to bypass the connector's base URL.
-     * The Administrations endpoint does not use an administration ID in the path.
+     * The Administrations endpoint does not use an administration ID in the path,
+     * so we navigate up from the connector's base URL (which includes the admin ID).
      */
     public function resolveEndpoint(): string
     {
-        return 'https://moneybird.com/api/v2/administrations/'.$this->id;
+        return '/../administrations/'.$this->id;
     }
 
     public function createDtoFromResponse(Response $response): Administration
diff --git a/src/Api/Administrations/GetAdministrationsRequest.php b/src/Api/Administrations/GetAdministrationsRequest.php
@@ -10,12 +10,12 @@
 class GetAdministrationsRequest extends BaseJsonGetRequest
 {
     /**
-     * Returns the full URL to bypass the connector's base URL.
-     * The Administrations endpoint does not use an administration ID in the path.
+     * The Administrations endpoint does not use an administration ID in the path,
+     * so we navigate up from the connector's base URL (which includes the admin ID).
      */
     public function resolveEndpoint(): string
     {
-        return 'https://moneybird.com/api/v2/administrations';
+        return '/../administrations';
     }
 
     public function createDtoFromResponse(Response $response): Administration

Original file line number	Diff line number	Diff line change
`@@ -16,12 +16,12 @@ public function __construct(`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`/**`
`19`		`- * Returns the full URL to bypass the connector's base URL.`
`20`		`- * The Administrations endpoint does not use an administration ID in the path.`
	`19`	`+ * The Administrations endpoint does not use an administration ID in the path,`
	`20`	`+ * so we navigate up from the connector's base URL (which includes the admin ID).`
`21`	`21`	`*/`
`22`	`22`	`public function resolveEndpoint(): string`
`23`	`23`	`{`
`24`		`- return 'https://moneybird.com/api/v2/administrations/'.$this->id;`
	`24`	`+ return '/../administrations/'.$this->id;`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`public function createDtoFromResponse(Response $response): Administration`
Original file line number	Diff line number	Diff line change
`@@ -10,12 +10,12 @@`
`10`	`10`	`class GetAdministrationsRequest extends BaseJsonGetRequest`
`11`	`11`	`{`
`12`	`12`	`/**`
`13`		`- * Returns the full URL to bypass the connector's base URL.`
`14`		`- * The Administrations endpoint does not use an administration ID in the path.`
	`13`	`+ * The Administrations endpoint does not use an administration ID in the path,`
	`14`	`+ * so we navigate up from the connector's base URL (which includes the admin ID).`
`15`	`15`	`*/`
`16`	`16`	`public function resolveEndpoint(): string`
`17`	`17`	`{`
`18`		`- return 'https://moneybird.com/api/v2/administrations';`
	`18`	`+ return '/../administrations';`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`public function createDtoFromResponse(Response $response): Administration`