Skip to content

Bump Saloon to v4#13

Merged
mdpoulter merged 1 commit into
1.xfrom
saloon-4
May 24, 2026
Merged

Bump Saloon to v4#13
mdpoulter merged 1 commit into
1.xfrom
saloon-4

Conversation

@mdpoulter
Copy link
Copy Markdown
Member

@mdpoulter mdpoulter commented May 24, 2026

Summary

Bumps saloonphp/saloon to ^4.0 and saloonphp/pagination-plugin to ^2.3 (the Saloon-4-compatible tag, matching the pin used by simplesquid/saloonphp-odata).

Resolves three open advisories against Saloon < 4.0:

CVE Severity Title
CVE-2026-33942 High Insecure deserialization in AccessTokenAuthenticator
CVE-2026-33183 Medium Fixture-name path traversal
CVE-2026-33182 Medium SSRF / credential leakage via absolute-URL endpoint override

Source compatibility

All Saloon imports used by this SDK are namespace-stable from Saloon 3 → 4:

  • Saloon\Http\{Connector,Request,Response,PendingRequest}
  • Saloon\Contracts\{Authenticator,Body\HasBody}
  • Saloon\Traits\Body\{HasJsonBody,HasMultipartBody}
  • Saloon\Traits\Plugins\AcceptsJson
  • Saloon\Traits\OAuth2\AuthorizationCodeGrant
  • Saloon\Helpers\OAuth2\OAuthConfig
  • Saloon\Data\MultipartValue
  • Saloon\Enums\Method
  • Saloon\PaginationPlugin\{Paginator,OffsetPaginator,Contracts\HasPagination,Contracts\HasRequestPagination,Contracts\Paginatable}

No src/ edits required.

Test plan

  • composer update --no-interaction resolves to saloon v4.0.0 + pagination-plugin v2.3.0
  • Reflection load of every connector / paginator / request that previously imported Saloon
  • vendor/bin/pest passes
  • composer audit reports no advisories

🤖 Generated with Claude Code

@mdpoulter @claude
Bump Saloon to v4 and pagination-plugin to ^2.3
4eac368 
Resolves three CVEs against Saloon < 4.0:
- CVE-2026-33942 (high): AccessTokenAuthenticator insecure deserialization
- CVE-2026-33183 (medium): fixture-name path traversal
- CVE-2026-33182 (medium): SSRF via absolute-URL endpoint override

All Saloon imports used by this SDK (Connector, Request, Response,
HasBody, HasJsonBody, HasMultipartBody, MultipartValue, Method,
Authenticator, OAuthConfig, AuthorizationCodeGrant, paginator
contracts, Paginator/OffsetPaginator base classes) are namespace
stable from Saloon 3 to 4, so no src/ changes are required.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mdpoulter mdpoulter merged commit 6cd522d into 1.x May 24, 2026
2 checks passed
@mdpoulter mdpoulter deleted the saloon-4 branch May 24, 2026 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdpoulter