please move away from abandoned package php-http/message-factory

[verfriemelt-dot-org]

heyho

in my project i'll get this with composer 2.7.0

$  composer audit
No security vulnerability advisories found.
Found 1 abandoned package:
+--------------------------+----------------------------------------------------------------------------------+
| Abandoned Package        | Suggested Replacement                                                            |
+--------------------------+----------------------------------------------------------------------------------+
| php-http/message-factory | psr/http-factory                                                                 |
+--------------------------+----------------------------------------------------------------------------------+

i was wondering where this was coming from, and its a transient dependency on your project:

 $  composer why php-http/message-factory
php-http/cache-plugin 1.8.1 requires php-http/message-factory (^1.0)
 $  composer why php-http/cache-plugin
m4tthumphrey/php-gitlab-api 11.13.0 requires php-http/cache-plugin (^1.8.1)

thx for the great work so far :heart:

[GrahamCampbell]

Thanks for the report. There's no rush to do this, as there's no security concerns with the old package. Once a v2 of the cache plugin has been released, we will consider upgrading. Work has already started: https://github.com/php-http/cache-plugin/compare/1.x...2.x. I'm fine to leave this issue open to track this.

[GrahamCampbell]

Related: https://github.com/php-http/cache-plugin/issues/85.

[christian-fries]

Version 2 of the cache plugin has been released: https://github.com/php-http/cache-plugin/releases/tag/2.0.0

[jurgenhaas]

Any chance of getting the extended constraint into the 11.13.x release, please?

[GrahamCampbell]

Fixed in 11.14.0.