From 697d9923ba86ee12cbaf1ef37c3354b54f4f5548 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Gamez?= <jerome@gamez.name>
Date: Tue, 19 Nov 2019 15:45:41 +0100
Subject: [PATCH] Upgrade symfony/dependency-injection

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x
before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user
input, this could allow for SQL Injection and remote code execution.

https://github.com/advisories/GHSA-pgwj-prpq-jpc2
---
 CHANGELOG.md  | 5 +++++
 composer.json | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index aad297a..02faca3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## Unreleased
+
+* Upgraded [symfony/dependency-injection](https://packagist.org/packages/symfony/dependency-injection) to avoid
+  [CVE-2019-10910](https://github.com/advisories/GHSA-pgwj-prpq-jpc2)
+
 ## 1.6.0 - 2019-11-09
 
 * Each Firebase SDK component is now individually registered and accessible ([#16](https://github.com/kreait/firebase-bundle/pull/16)).
diff --git a/composer.json b/composer.json
index 68f883c..25c044b 100644
--- a/composer.json
+++ b/composer.json
@@ -13,7 +13,7 @@
     ],
     "require": {
         "kreait/firebase-php": "^4.35",
-        "symfony/dependency-injection": "^2.8|^3.4|^4.0",
+        "symfony/dependency-injection": "^2.8.50|^3.4.26|^4.1.12",
         "symfony/config": "^2.8|^3.4|^4.0",
         "symfony/http-kernel": "^2.8|^3.4|^4.0"
     },