Skip to content

chore(deps): update dependency phpunit/phpunit to v10.5.62 [security] #610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency phpunit/phpunit to v10.5.62 [security] #610

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 28, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
phpunit/phpunit (source) 10.5.2710.5.62 age confidence

GitHub Vulnerability Alerts

CVE-2026-24765

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern

if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:

  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution

Severity Classification

  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions

Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors

Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state

Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Release Notes

sebastianbergmann/phpunit (phpunit/phpunit)

v10.5.62: PHPUnit 10.5.62

Compare Source

Changed
  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.61: PHPUnit 10.5.61

Compare Source

Changed
  • PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.60: PHPUnit 10.5.60

Compare Source

  • No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #​1139

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.59: PHPUnit 10.5.59

Compare Source

Changed
  • #​6338: Removed code from PHPUnit\Runner\TestSuiteSorter that was only used in the tests for this class
  • Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.58: PHPUnit 10.5.58

Compare Source

Fixed
  • #​6368: failOnPhpunitWarning="false" has no effect

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.57: PHPUnit 10.5.57

Compare Source

  • No changes; phpunit.phar rebuilt with updated dependencies

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.56: PHPUnit 10.5.56

Compare Source

  • No changes; phpunit.phar rebuilt with updated dependencies

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.55: PHPUnit 10.5.55

Compare Source

Changed
  • #​6366: Exclude __sleep() and __wakeup() from test double code generation on PHP >= 8.5

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.54: PHPUnit 10.5.54

Compare Source

Changed
  • Do not use __sleep() method (which will be deprecated in PHP 8.5)

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.53

Compare Source

v10.5.52: PHPUnit 10.5.52

Compare Source

Changed
  • #​6321: Allow error_reporting=E_ALL for --check-php-configuration

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.51: PHPUnit 10.5.51

Compare Source

Changed
  • #​6308: Improve output of --check-php-configuration
  • The version number for the test result cache file has been incremented to reflect that its structure for PHPUnit 10.5 is not compatible with its structure for PHPUnit 8.5 and PHPUnit 9.6

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.50: PHPUnit 10.5.50

Compare Source

Changed
  • #​6300: Emit warning when the name of a data provider method begins with test
  • Do not use SplObjectStorage methods that will be deprecated in PHP 8.5

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.49: PHPUnit 10.5.49

Compare Source

Added
  • #​6297: --check-php-configuration CLI option for checking whether PHP is configured for testing
Fixed
  • Errors due to invalid data provided using #[TestWith] or #[TestWithJson] attributes are now properly reported

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

v10.5.48: PHPUnit 10.5.48

Compare Source

Fixed
  • #​6254: defects,randomconfiguration is supported by implementation, but it is not allowed by the XML configuration file schema

How to install or update PHPUnit

v10.5.47: PHPUnit 10.5.47

Compare Source

Added
  • #​6236: failOnPhpunitWarning attribute on the <phpunit> element of the XML configuration file and --fail-on-phpunit-warning CLI option for controlling whether PHPUnit should fail on PHPUnit warnings (default: true)
  • #​6239: --do-not-fail-on-deprecation, --do-not-fail-on-phpunit-warning, --do-not-fail-on-phpunit-deprecation, --do-not-fail-on-empty-test-suite, --do-not-fail-on-incomplete, --do-not-fail-on-notice, --do-not-fail-on-risky, --do-not-fail-on-skipped, and --do-not-fail-on-warning CLI options
  • --do-not-report-useless-tests CLI option as a replacement for --dont-report-useless-tests
Deprecated
  • --dont-report-useless-tests CLI option (use --do-not-report-useless-tests instead)
Fixed
  • #​6243: Constraints cannot be implemented without using internal class ExpectationFailedException

How to install or update PHPUnit

v10.5.46: PHPUnit 10.5.46

Compare Source

Added
  • displayDetailsOnAllIssues attribute on the <phpunit> element of the XML configuration file and --display-all-issues CLI option for controlling whether PHPUnit should display details on all issues that are triggered (default: false)
  • failOnAllIssues attribute on the <phpunit> element of the XML configuration file and --fail-on-all-issues CLI option for controlling whether PHPUnit should fail on all issues that are triggered (default: false)
Changed
  • #​5956: Improved handling of deprecated E_STRICT constant
  • Improved message when test is considered risky for printing unexpected output

How to install or update PHPUnit

v10.5.45: PHPUnit 10.5.45

Compare Source

Changed
  • #​6117: Include source location information for issues triggered during test in --debug output
  • #​6119: Improve message for errors that occur while parsing attributes

How to install or update PHPUnit

v10.5.44: PHPUnit 10.5.44

Compare Source

Fixed
  • #​6115: Backed enumerations with values not of type string cannot be used in customized TestDox output

How to install or update PHPUnit

v10.5.43: PHPUnit 10.5.43

Compare Source

Changed
  • Do not skip execution of test that depends on a test that is larger than itself

How to install or update PHPUnit

v10.5.42: PHPUnit 10.5.42

Compare Source

Fixed
  • #​6103: Output from test run in separate process is printed twice
  • #​6109: Skipping a test in a before-class method crashes JUnit XML logger
  • #​6111: Deprecations cause SourceMapper to scan all <source/> files

How to install or update PHPUnit

v10.5.41: PHPUnit 10.5.41

Compare Source

Added
  • Test\AfterLastTestMethodErrored, Test\AfterTestMethodErrored, Test\BeforeTestMethodErrored, Test\PostConditionErrored, and Test\PreConditionErrored events
Fixed
  • #​6094: Errors in after-last-test methods are not reported
  • #​6095: Expectation is not counted correctly when a doubled method is called more often than is expected
  • #​6098: No system-out element in JUnit XML logfile

How to install or update PHPUnit

v10.5.40: PHPUnit 10.5.40

Compare Source

Fixed
  • #​6082: assertArrayHasKey(), assertArrayNotHasKey(), arrayHasKey(), and ArrayHasKey::__construct() do not support all possible key types
  • #​6087: --migrate-configuration does not remove beStrictAboutTodoAnnotatedTests attribute from XML configuration file

How to install or update PHPUnit

v10.5.39: PHPUnit 10.5.39

Compare Source

Added
  • #​6081: DefaultResultCache::mergeWith() for merging result cache instances
Fixed
  • #​6066: TeamCity logger does not handle error/skipped events in before-class methods correctly

How to install or update PHPUnit

v10.5.38: PHPUnit 10.5.38

Compare Source

Changed
  • #​6012: Remove empty lines between TeamCity events

How to install or update PHPUnit

v10.5.37: PHPUnit 10.5.37

Compare Source

Fixed

How to install or update PHPUnit

v10.5.36: PHPUnit 10.5.36

Compare Source

Changed
  • #​5957: Skip data provider build when requirements are not satisfied
  • #​5969: Check for requirements before creating a separate process
  • Updated regular expressions used by StringMatchesFormatDescription constraint to be consistent with PHP's run-tests.php
Fixed
  • #​5965: PHPUnit\Framework\Exception does not handle string error codes (PDOException with error code 'HY000', for example)

How to install or update PHPUnit

v10.5.35: PHPUnit 10.5.35

Compare Source

Changed
  • #​5956: Deprecation of the E_STRICT constant in PHP 8.4
Fixed
  • #​5950: TestDox text should not be trim()med when it contains $ character
  • The attribute parser will no longer try to instantiate attribute classes that do not exist

How to install or update PHPUnit

v10.5.34: PHPUnit 10.5.34

Compare Source

Fixed
  • #​5931: Reverted addition of name property on <testsuites> element in JUnit XML logfile
  • #​5946: Callback throws a TypeError when checking a callable has variadic parameters

How to install or update PHPUnit

v10.5.33: PHPUnit 10.5.33

Compare Source

Fixed
  • #​4584: assertJsonStringEqualsJsonString() considers objects with sequential numeric keys equal to be arrays
  • #​4625: Generator yielding keys that are neither integer or string leads to hard-to-understand error message when used as data provider
  • #​4674: JSON assertions should treat objects as unordered
  • #​5891: Callback constraint does not handle variadic arguments correctly when used for mock object expectations
  • #​5929: TestDox output containing $ at the beginning gets truncated when used with a data provider

How to install or update PHPUnit

v10.5.32: PHPUnit 10.5.32

Compare Source

Added
  • #​5937: failOnPhpunitDeprecation attribute on the <phpunit> element of the XML configuration file and --fail-on-phpunit-deprecation CLI option for controlling whether PHPUnit deprecations should be considered when determining the test runner's shell exit code (default: do not consider)
  • displayDetailsOnPhpunitDeprecations attribute on the <phpunit> element of the XML configuration file and --display-phpunit-deprecations CLI option for controlling whether details on PHPUnit deprecations should be displayed (default: do not display)
Changed
  • #​5937: PHPUnit deprecations will, by default, no longer affect the test runner's shell exit code. This can optionally be turned back on using the --fail-on-phpunit-deprecation CLI option or the failOnPhpunitDeprecation="true" attribute on the <phpunit> element of the XML configuration file.
  • Details for PHPUnit deprecations will, by default, no longer be displayed. This can optionally be turned back on using the --display-phpunit-deprecations CLI option or the displayDetailsOnPhpunitDeprecations attribute on the <phpunit> element of the XML configuration file.

How to install or update PHPUnit

v10.5.31: PHPUnit 10.5.31

Compare Source

Changed
  • #​5931: name property on <testsuites> element in JUnit XML logfile
  • Removed .phpstorm.meta.php file as methods such as TestCase::createStub() use generics / template types for their return types and PhpStorm, for example, uses that information
Fixed
  • #​5884: TestDox printer does not consider that issues can be suppressed by attribute, baseline, source location, or @ operator

How to install or update PHPUnit

v10.5.30: PHPUnit 10.5.30

Compare Source

Changed
  • Improved error message when stubbed method is called more often than return values were configured for it

How to install or update PHPUnit

v10.5.29: PHPUnit 10.5.29

Compare Source

Fixed
  • #​5887: Issue baseline generator does not correctly handle ignoring suppressed issues
  • #​5908: --list-tests and --list-tests-xml CLI options do not report error when data provider method throws exception

How to install or update PHPUnit

v10.5.28: PHPUnit 10.5.28

Compare Source

Fixed
  • #​5898: Test\Passed event is not emitted for PHPT tests
  • --coverage-filter CLI option could not be used multiple times

How to install or update PHPUnit

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants