composer更新提示有：发现1个影响1个软件包的安全漏洞公告。

[hulang]

所属功能组件

其它

ThinkPHP 版本

8.0.4

操作系统

win11

错误信息

@big-dream

Found 1 security vulnerability advisory affecting 1 package.
我的composer.json

{
    "name": "topthink/think",
    "description": "the new thinkphp framework",
    "type": "project",
    "keywords": [
        "framework",
        "thinkphp",
        "ORM"
    ],
    "homepage": "https://www.thinkphp.cn/",
    "license": "Apache-2.0",
    "authors": [
        {
            "name": "liu21st",
            "email": "[email protected]"
        },
        {
            "name": "yunwuxin",
            "email": "[email protected]"
        }
    ],
    "require": {
        "php": ">=8.0.0",
        "ext-fileinfo": "*",
        "ext-ftp": "*",
        "ext-json": "*",
        "ext-curl": "*",
        "ext-sodium": "*",
        "ext-zlib": "*",
        "topthink/framework": "^8.0",
        "topthink/think-orm": "^3.0",
        "topthink/think-multi-app": "^1.0.0",
        "topthink/think-view": "^2.0"
    },
    "require-dev": {
        "symfony/var-dumper": ">=4.2",
        "topthink/think-trace": "^1.0"
    },
    "autoload": {
        "psr-4": {
            "app\\": "app"
        },
        "psr-0": {
            "": "extend/"
        }
    },
    "config": {
        "preferred-install": "dist",
        "optimize-autoloader": true
    },
    "scripts": {
        "post-autoload-dump": [
            "@php think service:discover",
            "@php think vendor:publish"
        ]
    }
}

其它说明

No response

[big-dream]

相关信息：

• A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. #3059
• GHSA-f4wh-359g-4pq7

---

不知道怎么评价，只能说可以无需理会。框架层面很难避免这个问题，因为主要是开发者自身有很大的因素，相当于直接在项目里写 exec($_GET['x'])。
建议熟读安全指南《ThinkPHP开发指北（三）安全篇》做好相关处理基本都不会有太大问题

PS：以上仅代表个人观点

[hulang]

@big-dream
项目是一个空项目，操作方式
我是直接下载：https://github.com/top-think/think
把需要的

"topthink/think-multi-app": "^1.0.0",
"topthink/think-view": "^2.0"

加上后。。。
然后使用命令：composer update -vvv
就提示那个了。。。我关闭了。。。