feat: add key size validation by bshaffer · Pull Request #613

feat: add key size validation by bshaffer · Pull Request #613 · firebase/php-jwt

but then we also need to opt out of composer block-insecure

I don't understand what this means, can you explain it? You should be able to just pin to ^6.0 of this library in composer.json. if the block-insecure is required because of the vulnerability, then that's the whole reason for the fix.

We have an automated deployment system that automatically updates and creates new projects with a fresh composer.json.

When it starts, it now throws:

o composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires ourlibrary
    - ourlibrary require firebase/php-jwt ^6.8 -> found firebase/php-jwt[v6.8.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y2cr-5h3j-g3ys") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

So there is currently NO way to run composer install/update without any manual interactions. We can't "opt out" by keeping this library at 6.x, because that is blocked by composer. This change is a critical backwards compatibility break..