psr/cache 2.0.0 gets installed which requires PHP 8

[rdesimone]

Describe the issue you are experiencing

Ist seems that installing version 5.23.0 installs also psr/cache 2.0.0 which requires PHP 8.

Checking composer.lock I noticed that kreait/firebase-php, kreait/firebase-tokens and google/auth are requiring psr/cache. Not sure why it gets installed...

{
            "name": "google/auth",
            "version": "v1.18.0",
            "source": {
                "type": "git",
                "url": "https://github.com/googleapis/google-auth-library-php.git",
                "reference": "21dd478e77b0634ed9e3a68613f74ed250ca9347"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/googleapis/google-auth-library-php/zipball/21dd478e77b0634ed9e3a68613f74ed250ca9347",
                "reference": "21dd478e77b0634ed9e3a68613f74ed250ca9347",
                "shasum": ""
            },
            "require": {
                "firebase/php-jwt": "~2.0|~3.0|~4.0|~5.0",
                "guzzlehttp/guzzle": "^5.3.1|^6.2.1|^7.0",
                "guzzlehttp/psr7": "^1.7|^2.0",
                "php": ">=5.4",
                "psr/cache": "^1.0|^2.0",
                "psr/http-message": "^1.0"
            },

{
            "name": "kreait/firebase-php",
            "version": "5.23.0",
            "source": {
                "type": "git",
                "url": "https://github.com/kreait/firebase-php.git",
                "reference": "0b3ba9f97adb439501ca99381be9ea7b0d4347e1"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/kreait/firebase-php/zipball/0b3ba9f97adb439501ca99381be9ea7b0d4347e1",
                "reference": "0b3ba9f97adb439501ca99381be9ea7b0d4347e1",
                "shasum": ""
            },
            "require": {
                "ext-ctype": "*",
                "ext-json": "*",
                "ext-mbstring": "*",
                "ext-openssl": "*",
                "google/auth": "^1.18",
                "google/cloud-core": "^1.42.2",
                "google/cloud-storage": "^1.24.1",
                "guzzlehttp/guzzle": "^6.5.5|^7.3",
                "guzzlehttp/promises": "^1.4",
                "guzzlehttp/psr7": "^1.7|^2.0",
                "kreait/clock": "^1.1",
                "kreait/firebase-tokens": "^1.16",
                "mtdowling/jmespath.php": "^2.6.1",
                "php": "^7.4|^8.0",
                "psr/cache": "^1.0.1|^2.0|^3.0",
                "psr/http-message": "^1.0.1",
                "psr/log": "^1.1|^2.0|^3.0",
                "psr/simple-cache": "^1.0",
                "riverline/multipart-parser": "^2.0.8",
                "symfony/polyfill-php80": "^1.23"
            },

{
            "name": "kreait/firebase-tokens",
            "version": "1.16.0",
            "source": {
                "type": "git",
                "url": "https://github.com/kreait/firebase-tokens-php.git",
                "reference": "563394ba948aee2e0c387a381f88c4aaeaa52138"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/kreait/firebase-tokens-php/zipball/563394ba948aee2e0c387a381f88c4aaeaa52138",
                "reference": "563394ba948aee2e0c387a381f88c4aaeaa52138",
                "shasum": ""
            },
            "require": {
                "ext-json": "*",
                "ext-openssl": "*",
                "fig/http-message-util": "^1.1.5",
                "guzzlehttp/guzzle": "^6.3.1|^7.0",
                "kreait/clock": "^1.1.0",
                "lcobucci/jwt": "^3.4.1|^4.0",
                "php": "^7.4|^8.0",
                "psr/cache": "^1.0|^2.0|^3.0",
                "psr/simple-cache": "^1.0.1"
            },

Installed packages

fig/http-message-util       1.1.5   Utility classes and constants for use with PSR-7 (psr/http-message)
firebase/php-jwt            v5.4.0  A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform ...
google/auth                 v1.18.0 Google Auth Library for PHP
google/cloud-core           v1.43.0 Google Cloud PHP shared dependency, providing functionality useful to all components.
google/cloud-storage        v1.25.0 Cloud Storage Client for PHP
google/crc32                v0.1.0  Various CRC32 implementations
graham-campbell/result-type v1.0.2  An Implementation Of The Result Type
guzzlehttp/guzzle           7.3.0   Guzzle is a PHP HTTP client library
guzzlehttp/promises         1.4.1   Guzzle promises library
guzzlehttp/psr7             2.0.0   PSR-7 message implementation that also provides common utility methods
kreait/clock                1.1.0   A PHP 7.0 compatible clock abstraction
kreait/firebase-php         5.23.0  Firebase Admin SDK
kreait/firebase-tokens      1.16.0  A library to work with Firebase tokens
lcobucci/clock              2.0.0   Yet another clock abstraction
lcobucci/jwt                4.1.4   A simple library to work with JSON Web Token and JSON Web Signature
monolog/monolog             2.3.2   Sends your logs to files, sockets, inboxes, databases and various web services
mtdowling/jmespath.php      2.6.1   Declaratively specify how to extract elements from a JSON document
nikic/fast-route            v1.3.0  Fast request router for PHP
opis/closure                3.6.2   A library that can be used to serialize closures (anonymous functions) and arbitrar...
php-di/invoker              2.3.2   Generic and extensible callable invoker
php-di/php-di               6.3.5   The dependency injection container for humans
php-di/phpdoc-reader        2.2.1   PhpDocReader parses @var and @param values in PHP docblocks (supports namespaced cl...
phpoption/phpoption         1.8.0   Option Type for PHP
psr/cache                   2.0.0   Common interface for caching libraries
psr/container               1.1.1   Common Container Interface (PHP FIG PSR-11)
psr/http-client             1.0.1   Common interface for HTTP clients
psr/http-factory            1.0.1   Common interfaces for PSR-7 HTTP message factories
psr/http-message            1.0.1   Common interface for HTTP messages
psr/http-server-handler     1.0.1   Common interface for HTTP server-side request handler
psr/http-server-middleware  1.0.1   Common interface for HTTP server-side middleware
psr/log                     1.1.4   Common interface for logging libraries
psr/simple-cache            1.0.1   Common interfaces for simple caching
ralouphie/getallheaders     3.0.3   A polyfill for getallheaders.
riverline/multipart-parser  2.0.8   One class library to parse multipart content with encoding and charset support.
rize/uri-template           0.3.3   PHP URI Template (RFC 6570) supports both expansion & extraction
slim/http                   1.2.0   Slim PSR-7 Object Decorators
slim/psr7                   1.5     Strict PSR-7 implementation
slim/slim                   4.8.1   Slim is a PHP micro framework that helps you quickly write simple yet powerful web ...
symfony/polyfill-ctype      v1.23.0 Symfony polyfill for ctype functions
symfony/polyfill-mbstring   v1.23.1 Symfony polyfill for the Mbstring extension
symfony/polyfill-php80      v1.23.1 Symfony polyfill backporting some PHP 8.0+ features to lower PHP versions
vlucas/phpdotenv            v5.3.0  Loads environment variables from `.env` to `getenv()`, `$_ENV` and `$_SERVER` autom...

PHP version and extensions

7.4.24 -> Docker environment

On which operating system(s) does the issue occur?

• [ ] Linux
• [X] MacOS
• [ ] Windows

Steps to reproduce the issue.

php composer.phar update

Error message/Stack trace

Running the app:

Fatal error: Composer detected issues in your platform: Your Composer dependencies require a PHP version ">= 8.0.0". You are running 7.4.24. in /..../src/vendor/composer/platform_check.php on line 24

Additional information

No response

[jeromegamez]

psr/cache is installed to provide caching support for the Google Public Tokens when doing ID Token verification - it's just the Interfaces, though, they are needed so that cache implementations can hook into the interfaces (https://github.com/kreait/firebase-tokens-php#cache-results-from-the-google-secure-token-store)

kreait/firebase has support for all psr/cache releases (1.x - 3.x), there are two common reasons why the 2.x version (which supports only PHP 8.0+) might have ended up in the composer.lock file as opposed to 1.x which supports any PHP version starting at 5.3):

• the composer.lock file has been generated in a PHP 8.0 environment, and is used on a PHP 7.4 environment when doing a composer install
• composer install is executed with the --ignore-platform-requirements parameter

When building docker images, this can happen when the composer.lock file is not present in the .dockerignore file.

Since psr/cache 2.0 is installed and not 3.0, I assume that another package requires this version specifically. You can check why a specific package (version) is installed with composer why psr/cache in your project directory.

[rdesimone]

Hmm, not sure...

composer.lock has been created in a PHP 7.4 (PhpStorm) environment. It was an update of an old project with outdated dependencies.

composer install has not been executed with --ignore-platform-requirements

The source files are mounted as a volume in Docker, so I also don't see the reason of a missing composer.lock in .dockerignore.

composer why psr/cache gives

google/auth             v1.18.0  requires  psr/cache (^1.0|^2.0)         
kreait/firebase-php     5.23.0   requires  psr/cache (^1.0.1|^2.0|^3.0)  
kreait/firebase-tokens  1.16.0   requires  psr/cache (^1.0|^2.0|^3.0)   

like I checked already in composer-lock. (Thanks for the hint of this command!)

The dependencies which require psr/cache are all related to kreait/firebase-php. I also think google/auth is required by kreait/firebase-php.

Should it not be made sure that only 1.0.x will be installed to not run into this problem?

[jeromegamez]

Yes, you can add a "psr/cache": "^1.0" in the composer.json of your project to ensure that you won't receive a 2.x or 3.x version, but this would not answer the underlying question how a PHP 8.0 dependency ended up in a composer.lock file that has been generated in a PHP 7.4 environment - this should just not be possible.

Does the composer.json of your project have a "php": "^..." in its require section?

[rdesimone]

This is my composer.json

{
    "require": {
        "slim/slim": "^4.8.1",
        "slim/psr7": "^1.3.0",
        "slim/http": "^1.2.0",
        "php-di/php-di": "^6.3.5",
        "monolog/monolog": "2.3.2",
        "firebase/php-jwt": "^v5.4.0",
        "guzzlehttp/guzzle": "^7.3.0"
    }
}

I just updated all dependencies to their latest version (they were outdated for years...)

and then run php composer.phar update

[jeromegamez]

The line "php": "^7.4" in the require section is missing 🤞

[rdesimone]

Thanks a lot!!!!

[jeromegamez]

You're welcome 🌺