Dependency auth0/php-jwt conflicts with lcobucci/jwt

[renta]

Describe the problem

If project has a dependency on lcobucci/jwt and auth0/auth0-PHP, there is a problem. Class Lcobucci\JWT\Signer\Key\InMemory inherits Lcobucci\JWT\Signer\Key. Your fork has a same namespace, but the Key class is final there. During the installation of packages in Composer there are fatal errors because of this clash:

[29-Jan-2021 15:25:02 UTC] PHP Fatal error: Class Lcobucci\JWT\Signer\Key\InMemory may not inherit from final class (Lcobucci\JWT\Signer\Key) in /var/www/html/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php on line 10 [29-Jan-2021 15:25:02 UTC] PHP Fatal error: Uncaught Symfony\Component\ErrorHandler\Error\FatalError: Class Lcobucci\JWT\Signer\Key\InMemory may not inherit from final class (Lcobucci\JWT\Signer\Key) in /var/www/html/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php:10 Stack trace:

0 {main}

thrown in /var/www/html/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php on line 10

What was the expected behavior?

May be auth0/auth0-PHP could get rid of fork and return lcobucci/jwt as a dependency?

Reproduction

Add latest versions of auth0/auth0-PHP and lcobucci/jwt to composer.json

Environment

• Version of this library used: auth0 / auth0-PHP : 7.6.1, auth0/php-jwt: 3.3.4, lcobucci/jwt: 4.1.0
• Which framework are you using, if applicable: Laravel
• Other modules/plugins/libraries that might be involved:
• Any other relevant information you think would be useful:

[evansims]

Hi @renta 👋 auth0/auth0-PHP 3.3.4 is a drop-in replacement for lcobucci/jwt 3.3.3 with added PHP 8 support, as the author didn't want to merge PHP 8 compatibility in the upstream package to the 3.X branch. The 4.X branch of lcobucci/jwt, and later versions of the 3.X branch, introduce a new API which will require breaking changes in our SDK to adapt to so it's unfortunately not as simple as a dependency change, and thus our fork. The next major release of this SDK will resolve this, but in the meantime if you need to use the JWT library independent of our SDK, you'll need to continue using the 3.3.3-compatible API and our fork as a drop in replacement.

[ghost]

The conflict is caused by the namespaces for the official lcobucci/jwt package and your drop-in version are the same. This prevents us from using any other package that relies on 4.x. The Auth0 SDK should not effectively lock its consumers into using a deprecated version of another third-party package due to its major release cycle. The auth0/php-jwt fork should use a different namespace than the official package Lcobucci\JWT.

[l-vanbommel]

Is there any indication when the new major version will be released? More and more packages cannot be updated because of your fork with the same namespace...

[evansims]

Hey, @l-vanbommel 👋 I'm not able to provide a timeline for you at this time, but it's a near-term goal. However, if this issue is holding you back, you could temporarily pin 7.5 until we get that major released, assuming you don't require PHP 8 support.

[l-vanbommel]

Thanks for your helpful answer! I initially added "lcobucci/jwt": "3.3.3" because that is the version you forked to prevent further issues, Pinning 7.5 is better as it allows some more updates of the other packages.

[ghost]

Still, some package require lcobucci/jwt 3.4 and up, not tied to PHP 8. This is really frustrating.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.