search

okta / okta-sdk-php

PHP SDK for the Okta API
Apache License 2.0
38 stars 71 forks source link

Require dependencies block Drupal update #131

Open benconda opened 2 years ago

benconda commented 2 years ago

Hello,

I have a problem updating a drupal website to latest version (9.2.x) due to the fixed version of some of this package dependency :

Problem 1

  • Root composer.json requires drupal/core-recommended 9.2.4 -> satisfiable by drupal/core-recommended[9.2.4].
  • You can only install one version of a package, so only one of these can be installed: guzzlehttp/psr7[dev-master, 1.0.0, ..., 1.x-dev, 2.0.0-beta1, 2.0.0-rc1, 2.0.0].
  • okta/sdk 1.3.0 requires guzzlehttp/psr7 1.7.0 -> satisfiable by guzzlehttp/psr7[1.7.0].
  • drupal/core-recommended 9.2.4 requires guzzlehttp/psr7 1.8.2 -> satisfiable by guzzlehttp/psr7[1.8.2].
  • okta/sdk is locked to version 1.3.0 and an update of this package was not requested.

I see that your last commit should fix it.

Do you know when the release will be done ? It prevents us to apply critical security update.

Thank you

JamesDPC commented 2 years ago

Hi

okta/sdk 1.3.0 has a dependency "guzzlehttp/psr7": "1.7.0", See: https://github.com/okta/okta-sdk-php/blob/1.3.0/composer.json#L23

This precludes guzzlehttp/psr7 1.8 from being used (https://github.com/guzzle/psr7/blob/1.8.3/CHANGELOG.md)

A workaround is to install using an alias:

composer require "guzzlehttp/psr7:1.8.3 as 1.7.0"

There might be a very good reason for guzzlehttp/psr7 being locked at 1.7.0 in okta/sdk, but if not it would be great if the maintainers could push out a 1.3.1 release with the requirement at ^1.7.0 🙏🏽

If a project needs guzzlehttp/psr7 at 1.7.0 it can lock that in as a root requirement.

Thanks James

JamesDPC commented 2 years ago

Is it possible for a maintainer to look at this ? It's a trivial change.

JamesDPC commented 2 years ago

guzzlehttp/psr7 <= 1.8.3 has a recent Security Advisory, see https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 Improper Input Validation in guzzlehttp/psr7

@laurarodriguez-okta I saw your response in another issue here, is it possible to get the restriction on 1.7.0 removed and a new release tagged. Does it require a PR?

This change has already been done in develop branch but would need to be updated to ^1.8.4: https://github.com/okta/okta-sdk-php/blob/develop/composer.json#L23

JamesDPC commented 2 years ago

Given this repo has been placed into "security patch only mode" - the locking of a "guzzlehttp/psr7" at "1.7.0" should be fixed under that ? See ^ Security Advisory note.

Having to use an alias in a project guzzlehttp/psr7:1.8.5 as 1.7.0 is a temporary solution only.

Could the maintainers drop a 1.4.0 release with an updated/looser guzzlehttp/psr7 constraint ? 🙏🏽