Upgrade tecnickcom/tcpdf from version 6.7.4 to 6.7.5 to address the security vulnerability CVE-2024-22640

[franceslui]

No description provided.

[welcome]

💖 Thanks for this pull request! 💖

We use semantic commit messages to streamline the release process and easily generate changelogs between versions. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix if it doesn't have one already.

Examples of commit messages with semantic prefixes:

• Fixed #<issue number>: don't overwrite prevent_default if default wasn't prevented
• Added #<issue number>: add checkout functionality to assets
• Improved Asset Checkout: use new notification method for checkout

Things that will help get your PR across the finish line:

• Document any user-facing changes you've made.
• Include tests when adding/changing behavior.
• Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

[snipe]

Can you provide a little more info here? Also we should probably lock that version into composer.json

[franceslui]

Thank you for your comment of asking me to provide information of my pull request.

We use Snipe-IT to manage our hardware inventory.

When we ran
ddev composer audit
we got the following error:

❯ ddev composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | tecnickcom/tcpdf                                                                 |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-22640                                                                   |
| Title             | TCPDF vulnerable to Regular Expression Denial of Service                         |
| URL               | https://github.com/advisories/GHSA-mx3p-fhpw-x6rv                                |
| Affected versions | <=6.7.4                                                                          |
| Reported at       | 2024-04-19T18:31:11+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 6 abandoned packages:
+--------------------------+----------------------------------------------------------------------------------+
| Abandoned Package        | Suggested Replacement                                                            |
+--------------------------+----------------------------------------------------------------------------------+
| doctrine/reflection      | roave/better-reflection                                                          |
| fruitcake/laravel-cors   | none                                                                             |
| laravelcollective/html   | spatie/laravel-html                                                              |
| nunomaduro/larastan      | larastan/larastan                                                                |
| phpunit/php-token-stream | none                                                                             |
| swiftmailer/swiftmailer  | symfony/mailer                                                                   |
+--------------------------+----------------------------------------------------------------------------------+
Composer [audit] failed, composer command failed: exit status 7. stderr=

To fix the error, I ran
ddev composer update tecnickcom/tcpdf

I could confirm the error was fixed by running ddev composer audit again:

❯ ddev composer audit
No security vulnerability advisories found.
Found 6 abandoned packages:
+--------------------------+----------------------------------------------------------------------------------+
| Abandoned Package        | Suggested Replacement                                                            |
+--------------------------+----------------------------------------------------------------------------------+
| doctrine/reflection      | roave/better-reflection                                                          |
| fruitcake/laravel-cors   | none                                                                             |
| laravelcollective/html   | spatie/laravel-html                                                              |
| nunomaduro/larastan      | larastan/larastan                                                                |
| phpunit/php-token-stream | none                                                                             |
| swiftmailer/swiftmailer  | symfony/mailer                                                                   |
+--------------------------+----------------------------------------------------------------------------------+

Could you accept my pull request for upgrading tecnickcom/tcpdf from 6.7.4 to 6.7.5? Thank you.

[joelpittet]

@snipe RE "Also we should probably lock that version into composer.json" are planning to lock all your dependencies?

Over in Drupal land we have a locked version of the core dependencies in a separate project https://github.com/drupal/core-recommended/ Is that what kinda what you're going for (not the separate project but the dependency lock down)?

GitHub

GitHub - drupal/core-recommended: Metapackage that builds specific versions of drupal core based off of a lockfile.

Metapackage that builds specific versions of drupal core based off of a lockfile. - drupal/core-recommended

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉