Dependancy Update due to CVE's

[daveh-da]

Hi,

Would it be possible to update the required CraftCMS version plus it's dependencies? We have a client Wiz for security vulnerabilities, and it is flagging up this package due to the composer lock file using CraftCMS 5.0.0 and Yii2 2.0.48, which are vulnerable to these CVE's: CVE-2025-32432, CVE-2024-56145 and CVE-2024-58136.

Our root composer.lock file is not vulnerable to these CVE's, however, the client has asked us to do what we can to remove these vulnerabilities from our project dependencies.

I've created a branch locally with the required updates, which I can push. There are no problems with incompatible sets of packages, and I can't see any reason it would cause the package itself to function incorrectly; however, not sure how I would actually test this with my local Craft project.

[janhenckens]

Hey @daveh-da, the repo only contains a composer.lock to run coding standards checks & PHPStan, it doesn't actually install based on that when you use the plugin in a project, so the vulnerable version doesn't get installed on your end.

I'll make sure we update dependencies for the next release!

[daveh-da]

Thanks @janhenckens much appreciated.