Security vulnerability in Laravel 6 and 8, but not in 7?

Using the package roave/security-advisories, I scan my composer dependencies for known vulnerabilities both locally and in CI.

Today 7 days ago, a security disclosure was posted in the Laravel Framework repo: https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j

The security scanning tool trips over this security advisory and says I should update my Laravel dependency. But here's the catch: there is no update for Laravel 7!

I'm running Laravel 7 at the moment but my entire CI flow trips over this (seemingly) false positive.

Is it true that this issue only exists in Laravel 6 and 8, but not in 7? If so, how come?

fylzero

5 years ago

Best Answer

Level 67

@rvanbaalen Guessing because 6 is LTS and 7 is out of support but 8 is currently receiving security updates still.

https://laravel.com/docs/7.x/releases#support-policy

1 like

rvanbaalen

5 years ago

Level 6

Whoa, you're absolutely right! I completely missed that 7 wasn't LTS. I'll go ahead and prioritize the upgrade to 8 :-) Thanks for your quick response.

1 like

Please or to participate in this conversation.