Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I sent them link to this package to scan: https://github.com/barryvdh/laravel-dompdf
I was denied with a reason that this is a potentially risky package
Any idea what might've caused that? I did a quick Google search "laravel-dompdf malware" and found this result from their GitHub: https://github.com/barryvdh/laravel-dompdf/issues/840
Maybe they also found it? though no much explanation there
That's just an error. This page are the released vulnerabilities for the package https://github.com/barryvdh/laravel-dompdf/security/advisories
I assume they were lazy and gave you zero context. Maybe the problem is that it run a tool on the cli? I think it does but I'm not sure.
Ok it does not. Then I cannot imagine why they flagged it
No dependencies on external PDF libraries, thanks to the R&OS PDF class
@Sinnbeck It's a wrapper for Dompdf, which doesn't have any external PDF libraries (https://github.com/dompdf/dompdf), so I think it can be chalked up to laziness, like you said.
@vybeauregard yeah indeed.
@ligonsker I would ask for their finding. They already found it so sending it over cannot take more than 10 seconds
thanks guys for all the help in the recent days. You help me deal with the security team. Going to ask them first thing tomorrow when they're there
@Ligonsker I would ask your manager to fire the security team and hire someone who knows what they are doing.
@Tray2 Haha I'm quite new there. And this is not a software company at core. So I feel like it's more of a human relationship thing between the people there (like they're working together a long time so they're more like "friends" as long as it's not related to them). If I start calling out other people and I'm new there, I'll be the first to be fired just my feeling
You are not going to find something that lists current vulnerablities - at least, I certainly hope not. Any vulnerabilities are usually communicated off-line with the author and fixed without saying too much about what was wrong
@Snapey thanks. I really want answers from them now. I'm starting to feel more and more that they are just lazy. Blocking everything and goodbye. I am curious as to their reason of blocking it... Or... What is even the procedure they do to determine if a random zipped package is malicious
@sinnbeck @vybeauregard @tray2 @snapey
They replied to me with this article as to why they do not allow the dompdf package:
https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
Does it make sense now or they are still wrong from some reason?
@Ligonsker Seems that it was patched just 6 days after that article: https://github.com/dompdf/dompdf/releases/tag/v1.2.1
@Sinnbeck nice find, thank you!
Please or to participate in this conversation.