Hi, a few days ago on May 21, 2026, the PHP framework Symfony published 19 CVEs: https://symfony.com/blog/claude-mythos-audited-symfony-and-found-19-vulnerabilities.
When running composer audit, I can see the vulnerable versions. However, I did not see any Dependabot alerts. My understanding is that Dependabot looks at this repository to determine what to fix?
I am not sure if this applies only to Symfony or if it applies more broadly to the whole PHP/Composer ecosystem.
For example, GHSA-55rj-x2vc-4whq does not exist in the repository: https://github.com/search?q=repo%3Agithub%2Fadvisory-database%20%22GHSA-55rj-x2vc-4whq%22&type=code
Hi, a few days ago on May 21, 2026, the PHP framework Symfony published 19 CVEs: https://symfony.com/blog/claude-mythos-audited-symfony-and-found-19-vulnerabilities.
When running composer audit, I can see the vulnerable versions. However, I did not see any Dependabot alerts. My understanding is that Dependabot looks at this repository to determine what to fix?
I am not sure if this applies only to Symfony or if it applies more broadly to the whole PHP/Composer ecosystem.
For example, GHSA-55rj-x2vc-4whq does not exist in the repository: https://github.com/search?q=repo%3Agithub%2Fadvisory-database%20%22GHSA-55rj-x2vc-4whq%22&type=code