Run composer install --no-dev on your live servers. This completely removes the phpunit/phpunit folder from vendor/ , making eval-stdin.php vanish entirely.
:
If an attacker can access eval-stdin.php directly via their browser (and the server is configured to execute PHP files), they can send arbitrary PHP code to the script via POST data or query strings. Because the script blindly eval() s whatever it receives, . Run composer install --no-dev on your live servers
If you are searching for eval-stdin.php because you need to execute dynamic PHP code, ask yourself: Is there a better architectural pattern? Run composer install --no-dev on your live servers