Update framework

[abnegate]

Summary by CodeRabbit

• Chores
  • Updated framework dependency to the latest version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request updates a single dependency in composer.json, changing the required version of "utopia-php/framework" from 0.33.36 to 0.33.37. No other dependencies or configuration changes are included. This is a patch-level version increment for the framework package with no modifications to application logic, code structure, or additional requirements.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update framework' accurately describes the main change in the PR, which is updating the utopia-php/framework dependency from 0.33.36 to 0.33.37.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@composer.json`:
- Line 18: The composer dependency "utopia-php/framework": "0.33.37" is pinned
to a version with a critical RCE vulnerability; update the version spec for the
package name utopia-php/framework to at least ">=0.34.7" (recommended) or
preferably to the latest stable "1.2.0", then run composer update to install the
patched release and verify tests/builds.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14b0027 and f35e861.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• composer.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Unit & E2E

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

utopia-php/framework 0.33.37 release notes changelog

💡 Result:

I can fetch that — do you want the full changelog text for v0.33.37, or just a summary and links to the release/CHANGELOG?

---

🌐 Web query:

utopia-php/framework latest version 2026

💡 Result:

Latest release of utopia-php/framework (as of January 14, 2026) is 1.2.0 — released October 21, 2025. [1]

Sources:
[1] Packagist: utopia-php/framework (release 1.2.0, 2025-10-21).

---

🌐 Web query:

utopia-php/framework security advisories vulnerabilities

💡 Result:

Summary — known/security-relevant items for utopia-php/framework

• Remote Code Execution (RCE) reported affecting utopia-php/framework v0.20.0 → v0.34.6; fixed in v0.34.7 (reported by Aikido; no public CVE listed). [1]
• Package information and current releases available on Packagist (use composer to check installed version and upgrade to >=0.34.7 or the latest published release). [2]
• Use the PHP security-advisories DB / local security checker to scan composer.lock for known advisories. [3]
• Older unrelated “Utopia” PHP projects (different vendors/projects) have historic advisories (examples include CVE-2005-3201 and CVE-2007-3129) — verify your project’s exact package name to avoid confusion. [4][5]

Recommended actions

• If you use utopia-php/framework, upgrade to the fixed release (>=0.34.7) or the latest version on Packagist. [1][2]
• Run a composer-based vulnerability scan (FriendsOfPHP local-php-security-checker / GitHub Dependabot or similar) against your composer.lock. [3]
• If you need, I can: 1) check your composer.lock for affected versions, or 2) fetch the exact changelog/patch note that fixed the RCE. Which would you like?

Sources
[1] Aikido advisory (AIKIDO-2025-10433) — utopia-php/framework RCE (fixed in 0.34.7).
[2] Packagist — utopia-php/framework package page (release info).
[3] FriendsOfPHP security-advisories (PHP security checker tooling).
[4] NVD / CVE-2005-3201 (historic Utopia-related entry).
[5] FullDisclosure / CVE-2007-3129 (historic Utopia News Pro XSS).

---

Do not merge — critical security vulnerability in 0.33.37.

This version is affected by a Remote Code Execution (RCE) vulnerability (AIKIDO-2025-10433) that impacts utopia-php/framework v0.20.0 through v0.34.6. Version 0.33.37 is within the vulnerable range. The RCE was fixed in v0.34.7.

Upgrade to at least v0.34.7, or preferably to the latest stable version 1.2.0 (released October 21, 2025).

🤖 Prompt for AI Agents

In `@composer.json` at line 18, The composer dependency "utopia-php/framework":
"0.33.37" is pinned to a version with a critical RCE vulnerability; update the
version spec for the package name utopia-php/framework to at least ">=0.34.7"
(recommended) or preferably to the latest stable "1.2.0", then run composer
update to install the patched release and verify tests/builds.