Closed acsauk closed 2 years ago
Hi @acsauk, thanks so much for this!
I'm not a PHP expert so I want to call out my assumptions and understandings of this PR to get a sense check from you please.
^v6.1.0
means that we are potentially forcing users to upgrade their PHP version to >=7.1. Note, 7.3 and below are currently end of life (https://www.php.net/supported-versions.php) but I have no idea how up to date our users applications are.^v6.1.0
will mean that anyone using firebase/php-jwt in their own code may be required to make changes to it due to the breaking changes introduced in v6.0.0 (https://github.com/firebase/php-jwt/releases?page=1)If my understanding is correct above, I think this should be a breaking change and we should release it under version 4.0.0 rather than 3.3.0. What do you think about that? Have I missed anything? Note, versioning libraries is hard and not a perfect science.
But apart from that, all the code checks out and I've created a new branch for security reasons that we have run our integration tests against and it looks happy - https://github.com/alphagov/notifications-php-client/pull/108.
Hey @idavidmcdonald - yeah I would agree with all of your points above and makes sense to make it a major version release given the requirement for PHP 7.1+. Cant see anything you've missed 👍
I'll push the version bump up now!
Right, this has now been released from a separate PR. You now have version 4.0.1 available to download (https://packagist.org/packages/alphagov/notifications-php-client). Let us know if you spot any problems.
Note, I spotted an extra thing we missed so that is why there is a version 4.0.1 rather than just 4.0.0.
Thanks for your help in raising this and doing the hard work to make the changes. It is really really appreciated!
Cheers!
What problem does the pull request solve?
Fixes https://security.snyk.io/vuln/SNYK-PHP-FIREBASEPHPJWT-2434829. This is a vulnerability flagged in our repo - https://github.com/ministryofjustice/opg-digideps.
I'm hoping there aren't any other breaking changes in moving from v5 -> v6 but as I can't run the integration tests without valid creds I had to just rely on unit tests (which are passing now). Happy to pair with a Notify dev to get the fix out if required, just let me know.
Checklist
DOCUMENTATION.md
andCHANGELOG.md
)const VERSION
insrc/Client.php
)