diff --git a/CHANGELOG.md b/CHANGELOG.md
index aad297a..02faca3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## Unreleased
+
+* Upgraded [symfony/dependency-injection](https://packagist.org/packages/symfony/dependency-injection) to avoid
+  [CVE-2019-10910](https://github.com/advisories/GHSA-pgwj-prpq-jpc2)
+
 ## 1.6.0 - 2019-11-09
 
 * Each Firebase SDK component is now individually registered and accessible ([#16](https://github.com/kreait/firebase-bundle/pull/16)).
diff --git a/composer.json b/composer.json
index 68f883c..25c044b 100644
--- a/composer.json
+++ b/composer.json
@@ -13,7 +13,7 @@
     ],
     "require": {
         "kreait/firebase-php": "^4.35",
-        "symfony/dependency-injection": "^2.8|^3.4|^4.0",
+        "symfony/dependency-injection": "^2.8.50|^3.4.26|^4.1.12",
         "symfony/config": "^2.8|^3.4|^4.0",
         "symfony/http-kernel": "^2.8|^3.4|^4.0"
     },