Prerequisites
Describe the issue
I’m using kinde-oss/kinde-auth-php in a Laravel project. Composer 2.9+ now blocks installation of packages that depend on versions with known security advisories.
Your package currently requires firebase/php-jwt ^6.10. All 6.x versions are affected by security advisory PKSA-y2cr-5h3j-g3ys (weak encryption / CWE-326, related to CVE-2025-45769). The fix is in firebase/php-jwt 7.0+, but the Kinde SDK constrains the dependency to ^6.10, so we can’t upgrade.
As a result, our builds fail unless we ignore this advisory in Composer’s audit config, which we’d prefer not to do for security reasons.
Could you please update kinde-oss/kinde-auth-php to support firebase/php-jwt ^7.0 (or ^6.10 || ^7.0 if you need to keep 6.x compatibility for older PHP)? That would allow users to stay on a non-vulnerable JWT version and pass Composer’s security check.
Library URL
https://github.com/kinde-oss/kinde-php-sdk/
Library version
Latest
Operating system(s)
macOS
Operating system version(s)
Tahoe
Further environment details
No response
Reproducible test case URL
No response
Additional information
I raised this with support, they asked me to post this here too.
Prerequisites
Describe the issue
I’m using kinde-oss/kinde-auth-php in a Laravel project. Composer 2.9+ now blocks installation of packages that depend on versions with known security advisories.
Your package currently requires firebase/php-jwt ^6.10. All 6.x versions are affected by security advisory PKSA-y2cr-5h3j-g3ys (weak encryption / CWE-326, related to CVE-2025-45769). The fix is in firebase/php-jwt 7.0+, but the Kinde SDK constrains the dependency to ^6.10, so we can’t upgrade.
As a result, our builds fail unless we ignore this advisory in Composer’s audit config, which we’d prefer not to do for security reasons.
Could you please update kinde-oss/kinde-auth-php to support firebase/php-jwt ^7.0 (or ^6.10 || ^7.0 if you need to keep 6.x compatibility for older PHP)? That would allow users to stay on a non-vulnerable JWT version and pass Composer’s security check.
Library URL
https://github.com/kinde-oss/kinde-php-sdk/
Library version
Latest
Operating system(s)
macOS
Operating system version(s)
Tahoe
Further environment details
No response
Reproducible test case URL
No response
Additional information
I raised this with support, they asked me to post this here too.