Skip to content

[5.x]: Craft CMS dependency (webonyx/graphql-php) security advisory #18700

Open
Open
[5.x]: Craft CMS dependency (webonyx/graphql-php) security advisory#18700
Labels
bug
@MisterMike

Description

@MisterMike
MisterMike
opened on Apr 14, 2026

What happened?

Description

A security advisory for webonyx/graphql-php has been published a few days ago affecting versions <= 15.31.4 of webonyx/graphql-php. Craft CMS is currently using ~14.11.10. If using the roave security advisories composer package, it is now not possible to run composer update.

Steps to reproduce

  1. Use a project that requires Craft CMS in a semver that would request 5.9.14
  2. Run composer update
  3. The following composer dependency error will occur
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires craftcms/cms ^5.8.20 -> satisfiable by craftcms/cms[5.9.14, ..., 5.x-dev].
    - craftcms/cms[5.9.14, ..., 5.x-dev] require webonyx/graphql-php ~14.11.10 -> found webonyx/graphql-php[v14.11.10] but these were not loaded, because they are affected by security advisories ("PKSA-7h5p-prw9-w5nr"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Expected behavior

No composer dependency errors.

Actual behavior

Composer dependency error, installation/updating not possible

Craft CMS version

5.9.14

PHP version

8.4

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

  • not applicable

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions