Secure: Updated vendor packages; Temporary security workaround as per:

SpartnerNL/Laravel-Excel#4192
tcytra · Sep 3, 2024 · f392b7c · f392b7c
1 parent 1616e84
commit f392b7c
Show file tree

Hide file tree

Showing 5 changed files with 194 additions and 214 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,14 @@ The enraiged-laravel starter framework will be moving into v0.4.x soon with a fu
 
 ---
 
+2024-09-03 : 0.3.10  
+Update: Correct security vulnerability in phpoffice/phpspreadsheet
+
+- Updated composer to properly install secure packages
+- Added phpspreadsheet patch to ensure table exports are working
+
+---
+
 2024-08-14 : 0.3.9  
 Update: Correct high-severity alert for axios; Upgrade to php8.3
 

diff --git a/README.md b/README.md
@@ -46,6 +46,22 @@ Install the vendor packages:
 composer install
 ```
 
+**Please Note:** This build currently requires a temporary fix as a workaround for a security vulnerability with 
+phpoffice/phpspreadsheet <2.2.1. The composer.json is requiring mwikberg-virta/Laravel-Excel as a substitute for 
+maatwebsite/excel in order to satisfy roave/security-advisories. Further, a patch is required in order to prevent 
+errors from phpoffice/phpspreadsheet when triggering table exports.
+
+Apply the patch:
+
+```
+patch -Nr - --version-control none -p0 < patches/phpspreadsheet-2.2.2-temporary-fix-for-laravel-excel-3.1.patch
+```
+
+Reverse this change (if necessary) by using -Rp0 in the above command instead of -p0.
+
+This workaround will be removed when a permanent, secure solution is available with maatwebsite/excel and 
+phpoffice/phpspreadsheet.
+
 
 ### Init Environment
 

diff --git a/composer.json b/composer.json
@@ -4,21 +4,27 @@
     "description": "The Enraiged Laravel Framework.",
     "keywords": ["enraiged", "framework", "inertiajs", "laravel", "primevue"],
     "license": "MIT",
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/mwikberg-virta/Laravel-Excel.git"
+        }
+    ],
     "require": {
         "php": "^8.3",
-        "guzzlehttp/guzzle": "^7.2",
+        "guzzlehttp/guzzle": "^7.9",
         "inertiajs/inertia-laravel": "^1.3",
         "laravel/framework": "^10.48",
         "laravel/sanctum": "^3.3",
-        "laravel/tinker": "^2.8",
+        "laravel/tinker": "^2.9",
         "maatwebsite/excel": "^3.1",
-        "phpoffice/phpspreadsheet": "^1.29"
+        "phpoffice/phpspreadsheet": "^2.2.2"
     },
     "require-dev": {
-        "fakerphp/faker": "^1.23.0",
-        "laravel/pint": "^1.10.3",
-        "laravel/sail": "^1.18",
-        "mockery/mockery": "^1.6.12",
+        "fakerphp/faker": "^1.23",
+        "laravel/pint": "^1.17",
+        "laravel/sail": "^1.31",
+        "mockery/mockery": "^1.6",
         "nunomaduro/collision": "^7.10",
         "phpunit/phpunit": "^10.5",
         "roave/security-advisories": "dev-latest",