Patched Security Vulnerability in Passport v13 applied to Passport v12

[nickforshee]

Passport Version

12.4.3

Laravel Version

11.50.0

PHP Version

8.2

Database Driver & Version

No response

Description

Regarding the patched vulnerability in v13.7.1 referenced here: GHSA-349c-2h2f-mxf6, is there plans to patch v12.4 as well? We don't yet have our upgrade to the latest version of Laravel available and the vulnerability is blocking our CI/CD pipeline.

Steps To Reproduce

composer update requiring "laravel/passport": "^12.4"

[hafezdivandari]

No need, because it only happens with league/oauth2-server 9.x which is not supported on Laravel Passport 12.x

Actually the Affected versions is: >13.0.0 and <13.7.1

cc @pushpak1300

[crynobone]

We are working to get this approved: github/advisory-database#7338

[crynobone]

A temporary alternative, you can add the following to composer.json:

    "config": {
        "audit": {
            "ignore": [
                "GHSA-349c-2h2f-mxf6"
            ]
        }
    },

[pushpak1300]

This has been resolved in packagist. https://packagist.org/packages/laravel/passport