Composer Security audit failure: firebase/php-jwt

[jennquen]

SDK you're using (please complete the following information):

• Version 3.0 but looks to still be relevant on 10.4

Describe the bug
Not loading due to security audit flag on firebase firebase/php-jwt version

  Problem 1
    - Root composer.json requires xeroapi/xero-php-oauth2 ^10.4 -> satisfiable by xeroapi/xero-php-oauth2[10.4.0].      
    - xeroapi/xero-php-oauth2 10.4.0 requires firebase/php-jwt ^6.0 -> found firebase/php-jwt[v6.0.0, ..., v6.11.1] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y2cr-5h3j-g3ys") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Tried forcing firebase/php-jwt ^7.0 but to no avail

  Problem 1
    - Root composer.json requires xeroapi/xero-php-oauth2 ^10.4.0 -> satisfiable by xeroapi/xero-php-oauth2[10.4.0].    
    - xeroapi/xero-php-oauth2 10.4.0 requires firebase/php-jwt ^6.0 -> found firebase/php-jwt[v6.0.0, ..., v6.11.1] but it conflicts with your root composer.json require (^7.0).

To Reproduce
Steps to reproduce the behavior:

1. Go to any project with xeroapi/xero-php-oauth2
2. delete composer.lock (or don't have one) or change xeroapi/xero-php-oauth2 version number in composer
3. Run composer install or composer update
4. See error

Expected behavior
System to load without needing to ignore a security advisory

Additional context
Ignoring the audit issue does work as a temporary measure

[github-actions]

PETOSS-904

[github-actions]

Thanks for raising an issue, a ticket has been created to track your request

[cs278]

From what I can tell the dependency is only required by the JWTClaims class. Could the hard dependency be removed from the package (move to require-dev and add a suggest entry) given the very limited scope here?

[olimortimer]

https://github.com/firebase/php-jwt/releases/tag/v7.0.0