fix: replace abandoned php-http/message-factory with psr/http-factory

[kochen]

fixes #164

[kochen]

@wazelin thanks for taking the time to look at this!

The change I proposed does not require any additional changes (and passes all tests).

I suggest we first deal with the reported vulnerability and then look at the rest. Could you approve/merge this #169 first?

[wazelin]

Could you approve/merge this #169 first?

169 is fine indeed. Thank you!

That new Sonarqube integration is misbehaving a little, but that's not related to the changes introduced.

[kochen]

@wazelin I refactored the code to use Nyholm\Psr7\Response (and removed the abandoned php-http/message-factory).

There are 2 commits here, because I'm using the "bumped" versions from #166

[kochen]

Sure, though I would still suggest tackling these tasks independently and also merging them one by one.

[kochen]

@wazelin the libraries cannot be updates, because they rely on core v6.9 which uses the ResponseFactory.

Could you maybe release v7-beta/RC so the code adjustments could be done?

[wazelin]

@wazelin the libraries cannot be updates, because they rely on core v6.9 which uses the ResponseFactory.

Could you maybe release v7-beta/RC so the code adjustments could be done?

I'm not quite sure I understand. Removing ResponseFactory usage doesn't really require having that same factory removed from the core library, does it? I mean, to me it seems that places like this one here should be refactored to return an instance of Nyholm\Psr7\Response explicitly.

[kochen]

That's true for all the src code, but tests like this (and many others), still expect the factory being passed.

So I could fix the tests for v6.9, but once v7 is released the tests would fail.

[wazelin]

I've opened alternative PRs for all of the lti1p3 libraries and the Symfony bundle, @kochen. Let me know what you think.

[kochen]

looks great!

I'm following... ;)