From 4eac368cf2d81ca52ef99c275c91d12ca672bba4 Mon Sep 17 00:00:00 2001
From: Matthew Poulter <poulter@vcsw.nl>
Date: Sun, 24 May 2026 16:08:17 +0200
Subject: [PATCH] Bump Saloon to v4 and pagination-plugin to ^2.3

Resolves three CVEs against Saloon < 4.0:
- CVE-2026-33942 (high): AccessTokenAuthenticator insecure deserialization
- CVE-2026-33183 (medium): fixture-name path traversal
- CVE-2026-33182 (medium): SSRF via absolute-URL endpoint override

All Saloon imports used by this SDK (Connector, Request, Response,
HasBody, HasJsonBody, HasMultipartBody, MultipartValue, Method,
Authenticator, OAuthConfig, AuthorizationCodeGrant, paginator
contracts, Paginator/OffsetPaginator base classes) are namespace
stable from Saloon 3 to 4, so no src/ changes are required.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 composer.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/composer.json b/composer.json
index 899ef48..5bd912e 100644
--- a/composer.json
+++ b/composer.json
@@ -21,8 +21,8 @@
     ],
     "require": {
         "php": "^8.2",
-        "saloonphp/pagination-plugin": "^2.0",
-        "saloonphp/saloon": "^3.0"
+        "saloonphp/pagination-plugin": "^2.3",
+        "saloonphp/saloon": "^4.0"
     },
     "require-dev": {
         "laravel/pint": "^1.13",