chore(deps): update dependency livewire/livewire to v2.12.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
livewire/livewire	2.10.7 → 2.12.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-47823

In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:

• Filename is composed of the original file name using $file->getClientOriginalName()
• Files stored directly on your server in a public storage disk
• Webserver is configured to execute “.php” files

PoC

In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server.

class SomeComponent extends Component
{
    use WithFileUploads;

    #[Validate('image|extensions:png')]
    public $file;

    public function save()
    {
        $this->validate();

        $this->file->storeAs(
            path: 'images',
            name: $this->file->getClientOriginalName(),
            options: ['disk' => 'public'],
        );
    }
}

---

Release Notes

livewire/livewire (livewire/livewire)

v2.12.7

Compare Source

What's Changed

• [V2] Add failing tests for TestableLivewire by @​austincarpenter in #​6512
• [V2] Fix TemporaryUploadedFile::dimensions return type by @​ruudz in #​7879

New Contributors

• @​ruudz made their first contribution in #​7879

Full Changelog: livewire/livewire@v2.12.6...v2.12.7

v2.12.6

Compare Source

What's Changed

• [v2] Revert "[v2] Fix extension guessing (#​6011)"

Full Changelog: livewire/livewire@v2.12.5...v2.12.6

v2.12.5

Compare Source

What's Changed

• [v2] Fix for imageSize method on TemporaryUploadedFile to support dimensions validation rule by @​jordanhavard in #​6083

Full Changelog: livewire/livewire@v2.12.4...v2.12.5

v2.12.4

Compare Source

What's Changed

• [v2] Fix extension guessing by @​nuernbergerA in #​6011
• [v2] Add imageSize method on TemporaryUploadedFile to support dimensions validation rule by @​gdebrauwer in #​5896

Full Changelog: livewire/livewire@v2.12.3...v2.12.4

v2.12.3

Compare Source

• Added missing component resolver to resolve expensive components JIT

Full Changelog: livewire/livewire@v2.12.2...v2.12.3

v2.12.2

Compare Source

What's Changed

• Add locale prefix to fix localised route paths by @​joshhanley in #​5589

Full Changelog: livewire/livewire@v2.12.1...v2.12.2

v2.12.1

Compare Source

What's Changed

• Fix persistent middleware redirect issue by @​joshhanley in #​5574

Full Changelog: livewire/livewire@v2.12.0...v2.12.1

v2.12.0

Compare Source

What's Changed

• Support anonymous class component registration by @​calebporzio in #​5567

Full Changelog: livewire/livewire@v2.11.3...v2.12.0

v2.11.3

Compare Source

What's Changed

• Fix persistent middleware type error on Laravel 10 by @​joshhanley in #​5561

Full Changelog: livewire/livewire@v2.11.2...v2.11.3

v2.11.2

Compare Source

What's Changed

• Revert "Fix multiword deep nesting relations by @​joshhanley in #​5525"

Full Changelog: livewire/livewire@v2.11.1...v2.11.2

v2.11.1

Compare Source

What's Changed

• Fix multiword deep nesting relations by @​joshhanley in #​5525
• Bugfix for #​5420 - allow multiple wire:dirty directives on a single element by @​samlev in #​5501
• Remove dot from command description by @​adevade in #​5524

New Contributors

• @​samlev made their first contribution in #​5501

Full Changelog: livewire/livewire@v2.11.0...v2.11.1

v2.11.0

Compare Source

What's Changed

• Fix failing tests due to Laravel decimal property rounding issues by @​joshhanley in #​5508
• Fix route matching issues by @​joshhanley in #​5490
• Laravel v10 Support by @​driesvints and @​27pchrisl in #​5507

Full Changelog: livewire/livewire@v2.10.8...v2.11.0

v2.10.8

Compare Source

What's Changed

• Change from nowdoc to heredoc on asset warning output by @​joshhanley in #​5173
• Check success before showing COMPONENT MOVED message by @​remeritus in #​5304
• Publish less files to packagist by @​NiclasvanEyk in #​5156
• Typo by @​JayBizzle in #​5145
• Fixes bug where null computed property is considered set by @​aidan-casey in #​5121
• Fix: Typed property must not be accessed before initialization by @​alexandre67fr in #​4957
• Fix Safari special character encoding issue by @​bobwurtz in #​4942
• Fix invalid array key for validate only by @​BBonnet22 in #​4941
• Livewire Best Practices (ReadMe Update) by @​michael-rubel in #​4922
• Add type=button to tailwind paginators by @​codemonkey76 in #​5331
• Fix localization url in HttpConnectionHandler.php by @​dennisvandalen in #​4570
• Add common OS generated files to .gitignore by @​jukkakoskinen in #​5369
• PHP 8.2 support by @​ariaieboy in #​5416
• Add StringNormalization support to arrays and collections to fix Safari checksum issues by @​Balsakup in #​5379

New Contributors

• @​remeritus made their first contribution in #​5304
• @​NiclasvanEyk made their first contribution in #​5156
• @​JayBizzle made their first contribution in #​5145
• @​aidan-casey made their first contribution in #​5121
• @​bobwurtz made their first contribution in #​4942
• @​BBonnet22 made their first contribution in #​4941
• @​michael-rubel made their first contribution in #​4922
• @​codemonkey76 made their first contribution in #​5331
• @​jukkakoskinen made their first contribution in #​5369
• @​Balsakup made their first contribution in #​5379

Full Changelog: livewire/livewire@v2.10.7...v2.10.8

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update livewire/livewire:2.12.7 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency laravel/framework is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - cviebrock/eloquent-sluggable is locked to version 9.0.0 and an update of this package was not requested.
    - cocur/slugify v4.2.0 requires php ^7.1 || ~8.0.0 || ~8.1.0 -> your php version (8.5.1) does not satisfy that requirement.
    - cviebrock/eloquent-sluggable 9.0.0 requires cocur/slugify ^4.0 -> satisfiable by cocur/slugify[v4.2.0].