[FP]: Spatie Laravel packages are matched as Laravel framework #7602

sigv · 2025-04-15T10:33:30Z

Package URl

pkg:composer/spatie/[email protected]

CPE

cpe:2.3:a:laravel:laravel:3.7.3:*:*:*:*:*:*:*

CVE

CVE-2018-15133

ODC Integration

{"label" => "CLI"}

ODC Version

12.1.1

Description

Spatie provides various Laravel (PHP) packages. Quoting their website:

[Spatie has] created more than 500 packages for Laravel and PHP. These packages have been downloaded a whopping 1.58 billion times!

Their naming scheme follows spatie/laravel-project-name format, where all project names are prefixed with laravel. This however results in a match for laravel/framework project, even if it's really spatie/laravel-sluggable or other. There is no shared versioning scheme, as the framework has latest version at v12.8.1, while the Sluggable extension by Spatie has latest version at 3.7.4.

The text was updated successfully, but these errors were encountered:

sigv added the FP Report label Apr 15, 2025

sigv changed the title ~~[FP]: composer.lock (, ): (8.1)~~ [FP]: Spatie Laravel packages are matched as Laravel framework Apr 15, 2025

sigv mentioned this issue Apr 15, 2025

fix(fp): FP for spatie/laravel-* #7603

Merged

jeremylong closed this as completed Apr 15, 2025

sigv mentioned this issue Apr 22, 2025

chore: Manually add the suppressions from #7603 to the published suppressions #7613

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FP]: Spatie Laravel packages are matched as Laravel framework #7602

[FP]: Spatie Laravel packages are matched as Laravel framework #7602

sigv commented Apr 15, 2025 •

edited

Loading

[FP]: Spatie Laravel packages are matched as Laravel framework #7602

[FP]: Spatie Laravel packages are matched as Laravel framework #7602

Comments

sigv commented Apr 15, 2025 • edited Loading

Package URl

CPE

CVE

ODC Integration

ODC Version

Description

sigv commented Apr 15, 2025 •

edited

Loading