search

Vonage / vonage-php-sdk-core

Vonage REST API client for PHP. API support for SMS, Voice, Text-to-Speech, Numbers, Verify (2FA) and more.
https://developer.vonage.com/
Apache License 2.0
908 stars 181 forks source link

Support for Lcobucci JWT 5.2 #460

Closed Brenneisen closed 8 months ago

Brenneisen commented 8 months ago

The lcobucci/jwt requirement for this package is "lcobucci/jwt": "^3.4|^4.0", it would be great to support version v5.2.

This library uses legacy dependencies. Since PHP 8.0 has now reached EOL, a new major version of this library could be released with support for PHP 8.1 and lcobucci/jwt 5.2. The support for lcobucci/jwt 3.4 could also be removed, as this version only supports PHP 7.0 anyway.

The lcobucci/jwt 5.2 release offers support for validation against multiple keys and thus key rotation. You restrict your customers with legacy dependencies and have no other option. I don't understand that.

SecondeJK commented 8 months ago

Please note that lcobucci/jwt is being phased out of this library. It's only in there right now as legacy support, because the JWT generation is being handled by vonage/jwt. The version will get bumped in that library when I get round to it.

With regards to restricting customers that is not obviously our aim. The evolution of the SDK takes time, and maintaining it happens when I have time to do it among other responsibilities.

Brenneisen commented 8 months ago

Sorry but we have been waiting for over 8 months now (https://github.com/Vonage/vonage-php-sdk-core/issues/381). Nothing is happening and offering a new major version to support current dependencies is absolutely standard. We can no longer understand this and we are slowly running out of options other than switching from Vonage to another competitor like Twilio.

SecondeJK commented 8 months ago

Offering new versions to support version bumps is desirable, yes, but we have to support a lot of customers and frameworks across the entire PHP ecosystem, and this is an open source library not a piece of bespoke proprietary enterprise software.

In your referenced issue which I closed (#381) I stated that I want to support 8.0 for a little longer to give customers a chance to upgrade. It's been 8 months, so that's a decent amount of time, thank you for waiting. I'll schedule work to bump this.

Brenneisen commented 8 months ago

For me, this is an official SDK. I can only present our perspective. We are a customer and use the SDK provided. Funnily enough, we pay invoices to Vonage. PHP 8.0 can still be supported. But you can also offer a new major version with at least PHP 8.1 support in parallel. This is an industry standard.

SecondeJK commented 8 months ago

Released in 4.6.0, thank you for reporting

Brenneisen commented 8 months ago

Thank you!