[SECURITY] Pin dependency shuchkin/simplexlsx to 1.1.11 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
shuchkin/simplexlsx	require	pin	^1.0 -> 1.1.11

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-55878

Impact

When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code.

Patches

The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.12

Workarounds

Don't use direct publication via toHTMLEx

---

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: Branch creation - "after 6am and before 9am every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: serve-web/composer.lock

Command failed: composer install --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Your lock file does not contain a compatible set of packages. Please run composer update.

  Problem 1
    - phpspec/prophecy is locked to version v1.19.0 and an update of this package was not requested.
    - phpspec/prophecy v1.19.0 requires php ^7.2 || 8.0.* || 8.1.* || 8.2.* || 8.3.* -> your php version (8.4.1) does not satisfy that requirement.
  Problem 2
    - phpspec/prophecy-phpunit is locked to version v2.2.0 and an update of this package was not requested.
    - phpspec/prophecy v1.19.0 requires php ^7.2 || 8.0.* || 8.1.* || 8.2.* || 8.3.* -> your php version (8.4.1) does not satisfy that requirement.
    - phpspec/prophecy-phpunit v2.2.0 requires phpspec/prophecy ^1.18 -> satisfiable by phpspec/prophecy[v1.19.0].