chore: use framework 0.34

[ChiragAgg5k]

Summary by CodeRabbit

• Chores
  • Updated core framework dependency to the latest minor version for improved stability and compatibility.
  • Adjusted internal library imports; no changes to public behavior or user-facing APIs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates composer.json to bump the utopia-php/framework dependency from 0.33.* to 0.34.*. It also adjusts PHP imports in two source files: src/Queue/Job.php switches its Hook import from Utopia\Hook to Utopia\Http\Hook, and src/Queue/Server.php switches Utopia\Hook to Utopia\Http\Hook and Utopia\Validator to Utopia\Http\Validator. No function signatures or public APIs were altered.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review composer.json version bump for compatibility and intended upgrade.
• Inspect src/Queue/Job.php import change to ensure Utopia\Http\Hook provides the same behavior/contract.
• Inspect src/Queue/Server.php import changes for Utopia\Http\Hook and Utopia\Http\Validator to confirm APIs used match the new namespaces.
• Run or verify tests/linting to catch any namespace-related runtime issues.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: use framework 0.34' directly and accurately reflects the main change: updating the utopia-php/framework dependency from 0.33.* to 0.34.* along with corresponding namespace updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch use-framework-0.34

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5659783 and 5b85860.

📒 Files selected for processing (2)

• src/Queue/Job.php (1 hunks)
• src/Queue/Server.php (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• src/Queue/Server.php

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Adapter Tests (Workerman)
• GitHub Check: Adapter Tests (SwooleRedisCluster)

🔇 Additional comments (1)

src/Queue/Job.php (1)

5-5: Namespace update correctly applied and consistently migrated.

The import has been updated to reflect the framework 0.34 namespace structure. Verification confirms all old-style Utopia\Hook and Utopia\Validator imports have been removed from the codebase, and all instances now use the new Utopia\Http\Hook and Utopia\Http\Validator namespaces consistently.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 53f06d0 and 5659783.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• composer.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Adapter Tests (Swoole)
• GitHub Check: Adapter Tests (Workerman)
• GitHub Check: Adapter Tests (SwooleRedisCluster)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Update version constraint to exclude vulnerable versions.

Version 0.34.* is available on Packagist, but there is a critical security concern: a high-severity vulnerability exists in versions 0.20.0 - 0.34.6 and is fixed in 0.34.7. The current constraint allows installing vulnerable versions. Update to "0.34.7.*" or higher to ensure the security fix is included.

🤖 Prompt for AI Agents

In composer.json around line 30, the dependency constraint
"utopia-php/framework": "0.34.*" allows installing vulnerable releases (0.20.0 -
0.34.6); update the constraint to require the patched series by changing it to
"0.34.7.*" or a safer range like ">=0.34.7 <0.35" (or bump to a later fixed
major/minor) so Composer will not install the vulnerable versions.

[ChiragAgg5k]

link me to the security concern details

[coderabbitai]

🧩 Analysis chain

🌐 Web query:

utopia-php/framework security vulnerability 0.34.6 0.34.7

💡 Result:

Short answer: Aikido's advisory reports a Remote Code Execution vulnerability affecting utopia-php/framework versions 0.20.0 through 0.34.6 and states it was fixed in 0.34.7. Upgrade to >= 0.34.7 (or apply the vendor patch) as soon as possible. [1][2]

Sources:

• Aikido advisory (AIKIDO-2025-10433) — RCE in 0.20.0–0.34.6, fixed in 0.34.7. [1]
• utopia-php/framework package page (maintainer/vendor contact & package info). [2]

---

🌐 Web query:

AIKIDO-2025-10433 utopia-php framework advisory

💡 Result:

Summary advisory — AIKIDO-2025-10433 (utopia-php/framework)

• Issue: Remote Code Execution (RCE) in utopia-php/framework. [1]
• Affected versions: 0.20.0 through 0.34.6. [1]
• Fixed in: 0.34.7 — upgrade immediately to 0.34.7 or later. [1][2]
• Mitigation steps:
  1. Pin/update composer to utopia-php/framework >=0.34.7 and deploy. Example: composer update utopia-php/framework. [2]
  2. If you cannot upgrade immediately, isolate/disable services using the vulnerable package and apply compensating network controls (WAF, restrict incoming requests) until patched.
  3. Audit logs and systems for suspicious activity if running affected versions. Treat as high-severity RCE. [1]
• Vendor / repo references: Packagist / project pages for utopia-php/framework and Utopia PHP ecosystem. Use vendor security channel if needed (see package docs). [2][3]

Sources:
[1] Aikido intel — AIKIDO-2025-10433 (utopia-php/framework vulnerability, fixed in 0.34.7).
[2] Packagist — utopia-php/framework package information.
[3] Libraries.io / Utopia package pages (project docs and security contact).

---

🌐 Web query:

site:aikido.dev AIKIDO-2025-10433

💡 Result:

I found an Aikido Intel entry for AIKIDO-2025-10433:

• Title / summary: utopia-php/framework — Remote Code Execution (RCE). [High severity]. [1]
• Affected versions: 0.20.0 — 0.34.6. [1]
• Fixed in: 0.34.7. [1]
• CVE: none assigned (no CVE available). [1]
• Aikido Intel / Aikido Fix listings show the vulnerability entry in their public vulnerability database. [2]

Sources: [1] Aikido Intel CVE page for AIKIDO-2025-10433; [2] Aikido Intel / Fix vulnerability database.

---

@ChiragAgg5k, here are the security concern details:

Advisory: AIKIDO-2025-10433 - Remote Code Execution (RCE) vulnerability in utopia-php/framework

Link: https://www.aikido.dev/intel/AIKIDO-2025-10433

Key Details:

• Vulnerability Type: Remote Code Execution (High severity)
• Affected Versions: 0.20.0 through 0.34.6
• Fixed in: 0.34.7
• No CVE assigned yet

Recommendation:
Update your composer.json constraint to "0.34.7.*" or "^0.34.7" to ensure only patched versions can be installed. The current constraint "0.34.*" would allow Composer to install vulnerable versions 0.34.0 through 0.34.6.