Skip to content

fix: Allow composer install on fresh clones (PHPUnit security advisory workaround)#357

Open
binaryfire wants to merge 1 commit intohypervel:mainfrom
binaryfire:fix/composer-security-advisory
Open

fix: Allow composer install on fresh clones (PHPUnit security advisory workaround)#357
binaryfire wants to merge 1 commit intohypervel:mainfrom
binaryfire:fix/composer-security-advisory

Conversation

@binaryfire
Copy link
Contributor

@binaryfire binaryfire commented Feb 5, 2026
edited
Loading

Problem

Fresh clones of the repository fail on composer install with:

Your requirements could not be resolved to an installable set of packages.

Problem 1
  - Root composer.json requires phpunit/phpunit 10.5.45, found phpunit/phpunit[10.5.45]
    but these were not loaded, because they are affected by security advisories
    ("PKSA-z3gr-8qht-p93v").

This is because Composer 2.7+ blocks packages with known security advisories by default.

Why we're locked to PHPUnit 10.5.45 in v0.3

In PHPUnit 10.5.46, the runTest() method was changed from protected to private:

// PHPUnit 10.5.46+
private function runTest(): mixed

Hypervel's RunTestsInCoroutine trait overrides this method to intercept test execution and wrap it in a Swoole coroutine:

// src/foundation/src/Testing/Concerns/RunTestsInCoroutine.php
final protected function runTest(): mixed
{
    if (Coroutine::getCid() === -1 && $this->enableCoroutine) {
        $this->realTestName = $this->name();
        parent::setName('runTestsInCoroutine');
    }

    return parent::runTest();
}

This trick allows the trait to:

  1. Save the real test method name
  2. Swap it to runTestsInCoroutine
  3. Let PHPUnit call runTestsInCoroutine() which wraps the actual test in a coroutine via run()

When runTest() became private, this stops working (can't override a private method). Which breaks coroutine-based testing entirely.

The Security Advisory (CVE-2026-24765)

The advisory (GHSA-vvj3-c3rp-c85p) describes an unsafe deserialization vulnerability in PHPUnit's PHPT test runner code coverage handling.

Why this doesn't affect Hypervel:

  • The vulnerability is in cleanupForCoverage() which deserializes .coverage files during PHPT tests
  • PHPT is PHP's native test format (used by php-src), not standard PHPUnit test classes
  • Hypervel uses standard PHPUnit tests exclusively—no PHPT tests
  • The vulnerable code path is never executed

Risk assessment: Effectively zero for this project. We're ignoring the advisory because Composer blocks it by default, not because we're accepting any actual risk.

The Fix

Adding PKSA-z3gr-8qht-p93v to the audit ignore list allows:

  • composer install to work on fresh clones
  • Continued use of coroutine-based testing via RunTestsInCoroutine

Resolution in 0.4

This will be fully resolved in Hypervel 0.4, which will use PHPUnit 13. PHPUnit 13:

  1. Has patched versions available for this CVE
  2. Provides proper extension points that don't require overriding runTest()

Other Changes

Added testing to .gitignore: Running the CI database integration tests locally creates a testing file in the repository root. This is now ignored to keep the working tree clean.

@binaryfire
Ignore PHPUnit security advisory and add testing to .gitignore
bf01f3a 
- Add audit ignore for PKSA-z3gr-8qht-p93v (CVE-2026-24765) to allow
  composer install on fresh clones while locked to PHPUnit 10.5.45
- Add 'testing' to .gitignore (created by local CI database tests)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@binaryfire