Upgrade symfony/dependency-injection

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. GHSA-pgwj-prpq-jpc2
kreait · Nov 19, 2019 · 697d992 · 697d992
1 parent 6dd8050
commit 697d992
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## Unreleased
+
+* Upgraded [symfony/dependency-injection](https://packagist.org/packages/symfony/dependency-injection) to avoid
+  [CVE-2019-10910](https://github.com/advisories/GHSA-pgwj-prpq-jpc2)
+
 ## 1.6.0 - 2019-11-09
 
 * Each Firebase SDK component is now individually registered and accessible ([#16](https://github.com/kreait/firebase-bundle/pull/16)).

diff --git a/composer.json b/composer.json
@@ -13,7 +13,7 @@
     ],
     "require": {
         "kreait/firebase-php": "^4.35",
-        "symfony/dependency-injection": "^2.8|^3.4|^4.0",
+        "symfony/dependency-injection": "^2.8.50|^3.4.26|^4.1.12",
         "symfony/config": "^2.8|^3.4|^4.0",
         "symfony/http-kernel": "^2.8|^3.4|^4.0"
     },