From a2f02322b1f747587973a32d450bbc0d07ff0439 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Thu, 11 Jun 2026 16:53:15 +0200 Subject: [PATCH 1/7] =?UTF-8?q?PKSA-fs5b-x5k4-1h39=20for=20PHP=20=E2=89=A4?= =?UTF-8?q?=208.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/update_and_migration/from_4.6/update_from_4.6.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index a2b8490f51..5ae7a9ba52 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -672,6 +672,8 @@ For security reasons, it's highly recommenced to update `twig/twig` and `twig/in For more information, see the following security advisories: +* PHP 8.2 and older + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 8.0 and PHP 7.4 * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) @@ -690,7 +692,6 @@ For more information, see the following security advisories: * [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf) * [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx) * [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d) - * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 7.4 only * [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np) * [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w) From bc5bf11914af260f50e2fc696d87928cb076a08e Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:32:18 +0200 Subject: [PATCH 2/7] =?UTF-8?q?PKSA-fs5b-x5k4-1h39=20for=20PHP=20=E2=89=A4?= =?UTF-8?q?=208.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../from_4.6/update_from_4.6.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 5ae7a9ba52..ed3557b449 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -668,7 +668,7 @@ Run the provided SQL upgrade script to update your database: ### Update Twig to v3.26.0 -For security reasons, it's highly recommenced to update `twig/twig` and `twig/intl-extra` to version v3.26.0 or higher. +For security reasons, it's highly recommenced to update `twig/twig`, `twig/intl-extra`, and `twig/cssinliner-extra` to version v3.26.0 or higher. For more information, see the following security advisories: @@ -699,33 +699,29 @@ For more information, see the following security advisories: * [PKSA-1tmc-rt7x-12w6](https://packagist.org/security-advisories/PKSA-1tmc-rt7x-12w6) * [PKSA-xx6c-6d96-db2w](https://packagist.org/security-advisories/PKSA-xx6c-6d96-db2w) -To use these packages in versions not affected by security vulnerabilities, PHP 8.1 is the minimum required version. +To use these packages in versions not affected by security vulnerabilities, PHP 8.3 is the minimum required version. For projects meeting this requirement, you can update the packages with Composer. -If you're using PHP 7.4 or 8.0, to do the [[= product_name =]] update, you have two options: +If you're using PHP 8.2 or an older version, to do the [[= product_name =]] update, you have two options: #### Update PHP, the custom code, then the platform (recommended) -Make sure to use PHP 8.1 or higher. Since PHP 8.1 has reached its End of Life (EOL), it's recommended that you use PHP 8.2 or higher. -Migrate custom code to be compatible with PHP 8.1 or higher, for example by using [Rector](https://github.com/rectorphp/rector). +Make sure to use PHP 8.3 or higher. Since PHP 8.1 has reached its End of Life (EOL), it's recommended that you use PHP 8.2 or higher. +Migrate custom code to be compatible with PHP 8.3 or higher, for example by using [Rector](https://github.com/rectorphp/rector). Then, update Ibexa DXP. #### Implement other countermeasures If updating the Twig packages isn't possible, for example, because the project is using PHP 7.4 or 8.0 where the fixes are not available, review the security issues carefully and assess the danger. -If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`: +If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`. For example, here for PHP 7.4: ```json "config": { "audit": { "ignore": { - "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-5k7f-wvjj-jrgw": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-sjvz-tbbr-vwth": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-h8hf-ytnd-5t9q": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", @@ -743,7 +739,11 @@ If you choose to implement countermeasures without upgrading PHP and updating Tw "PKSA-n7sg-8f52-pqtf": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-8kk8-h2xr-h5nx": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-2rbx-bjdx-4d4d": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore." + "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore." } } } From fb84debfad42f37d52fe49a7439ae9dc8333ee3b Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 3 Jul 2026 11:09:50 +0200 Subject: [PATCH 3/7] PKSA-fs5b-x5k4-1h39 for ibexa/share with PHP 8.2- --- .../update_and_migration/from_4.6/update_from_4.6.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index c327166117..6a19a308fa 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -672,9 +672,8 @@ For security reasons, it's highly recommenced to update `twig/twig`, `twig/intl- For more information, see the following security advisories: -* PHP 8.2 and older - * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 8.0 and PHP 7.4 + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) * [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q) @@ -753,7 +752,7 @@ In addition, consider upgrading your project to one of [the actively supported P ## v4.6.31 -No additional steps needed. + ## LTS Updates @@ -1020,3 +1019,10 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ ```bash composer require ibexa/fieldtype-richtext-rte:[[= latest_tag_4_6 =]] ibexa/ckeditor-premium:[[= latest_tag_4_6 =]] ``` + + ## v4.6.30 + + For security reason, [update Twig to v3.26.0](#update-twig-to-v3260). + When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions: + + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) From 1ff5fe19e0b4093901851e39d07c0beca9163f57 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 3 Jul 2026 11:14:58 +0200 Subject: [PATCH 4/7] PKSA-fs5b-x5k4-1h39 for ibexa/share with PHP 8.2- --- .../from_4.6/update_from_4.6.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 6a19a308fa..50447b5c6a 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -668,12 +668,11 @@ Run the provided SQL upgrade script to update your database: ### Update Twig to v3.26.0 -For security reasons, it's highly recommenced to update `twig/twig`, `twig/intl-extra`, and `twig/cssinliner-extra` to version v3.26.0 or higher. +For security reasons, it's highly recommenced to update `twig/twig` and `twig/intl-extra` to version v3.26.0 or higher. For more information, see the following security advisories: * PHP 8.0 and PHP 7.4 - * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) * [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q) @@ -691,6 +690,7 @@ For more information, see the following security advisories: * [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf) * [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx) * [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d) + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 7.4 only * [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np) * [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w) @@ -698,16 +698,16 @@ For more information, see the following security advisories: * [PKSA-1tmc-rt7x-12w6](https://packagist.org/security-advisories/PKSA-1tmc-rt7x-12w6) * [PKSA-xx6c-6d96-db2w](https://packagist.org/security-advisories/PKSA-xx6c-6d96-db2w) -To use these packages in versions not affected by security vulnerabilities, PHP 8.3 is the minimum required version. +To use these packages in versions not affected by security vulnerabilities, PHP 8.1 is the minimum required version. For projects meeting this requirement, you can update the packages with Composer. -If you're using PHP 8.2 or an older version, to do the [[= product_name =]] update, you have two options: +If you're using PHP 7.4 or 8.0, to do the [[= product_name =]] update, you have two options: #### Update PHP, the custom code, then the platform (recommended) -Make sure to use PHP 8.3 or higher. Since PHP 8.1 has reached its End of Life (EOL), it's recommended that you use PHP 8.2 or higher. -Migrate custom code to be compatible with PHP 8.3 or higher, for example by using [Rector](https://github.com/rectorphp/rector). +Make sure to use PHP 8.1 or higher. Since PHP 8.1 has reached its End of Life (EOL), it's recommended that you use PHP 8.2 or higher. +Migrate custom code to be compatible with PHP 8.1 or higher, for example by using [Rector](https://github.com/rectorphp/rector). Then, update Ibexa DXP. #### Implement other countermeasures @@ -752,7 +752,7 @@ In addition, consider upgrading your project to one of [the actively supported P ## v4.6.31 - +No additional steps needed. ## LTS Updates @@ -1022,7 +1022,7 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ ## v4.6.30 - For security reason, [update Twig to v3.26.0](#update-twig-to-v3260). + For security reason, [update `twig/cssinliner-extra` to v3.26.0](#update-twig-to-v3260). When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions: * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) From 80c0be8b306291e84903d05e29efd065b99bef9d Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 3 Jul 2026 11:21:11 +0200 Subject: [PATCH 5/7] PKSA-8zx5-v2nz-58pb --- docs/update_and_migration/from_4.6/update_from_4.6.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 50447b5c6a..0145ddaf90 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -673,6 +673,7 @@ For security reasons, it's highly recommenced to update `twig/twig` and `twig/in For more information, see the following security advisories: * PHP 8.0 and PHP 7.4 + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) * [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q) @@ -690,7 +691,6 @@ For more information, see the following security advisories: * [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf) * [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx) * [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d) - * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 7.4 only * [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np) * [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w) @@ -752,7 +752,12 @@ In addition, consider upgrading your project to one of [the actively supported P ## v4.6.31 -No additional steps needed. +### Security + +To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended. +If you use PHP 8.0 or 7.4, there is one more security advisory to take into account: + +* [PKSA-8zx5-v2nz-58pb](https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb) ## LTS Updates From b83315fc23accaff2b312edb8bf7540a664175f3 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 3 Jul 2026 11:25:30 +0200 Subject: [PATCH 6/7] Fix heading level --- docs/update_and_migration/from_4.6/update_from_4.6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 0145ddaf90..89a3677b0a 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -1025,7 +1025,7 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ composer require ibexa/fieldtype-richtext-rte:[[= latest_tag_4_6 =]] ibexa/ckeditor-premium:[[= latest_tag_4_6 =]] ``` - ## v4.6.30 + #### v4.6.30 For security reason, [update `twig/cssinliner-extra` to v3.26.0](#update-twig-to-v3260). When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions: From 2bb87cad6abc48a25a4141389c21eb8b000fa59d Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Fri, 3 Jul 2026 11:40:45 +0200 Subject: [PATCH 7/7] code_samples.yaml: Add PKSA-8zx5-v2nz-58pb --- .github/workflows/code_samples.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/code_samples.yaml b/.github/workflows/code_samples.yaml index b0f1e22e2d..2528cd7f36 100644 --- a/.github/workflows/code_samples.yaml +++ b/.github/workflows/code_samples.yaml @@ -75,7 +75,8 @@ jobs: "PKSA-g9zw-qxh8-pq8w": "As this is for code quality tests and not to run a production DXP, this can be ignored.", "PKSA-yd6k-t2gh-1m43": "As this is for code quality tests and not to run a production DXP, this can be ignored.", "PKSA-1tmc-rt7x-12w6": "As this is for code quality tests and not to run a production DXP, this can be ignored.", - "PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored." + "PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored.", + "PKSA-8zx5-v2nz-58pb": "As this is for code quality tests and not to run a production DXP, this can be ignored." }' - name: Ignore audit advisory for PHP 8.2