Open benconda opened 2 years ago
Hi
okta/sdk 1.3.0 has a dependency "guzzlehttp/psr7": "1.7.0",
See: https://github.com/okta/okta-sdk-php/blob/1.3.0/composer.json#L23
This precludes guzzlehttp/psr7 1.8 from being used (https://github.com/guzzle/psr7/blob/1.8.3/CHANGELOG.md)
A workaround is to install using an alias:
composer require "guzzlehttp/psr7:1.8.3 as 1.7.0"
There might be a very good reason for guzzlehttp/psr7 being locked at 1.7.0 in okta/sdk, but if not it would be great if the maintainers could push out a 1.3.1 release with the requirement at ^1.7.0 🙏🏽
If a project needs guzzlehttp/psr7 at 1.7.0 it can lock that in as a root requirement.
Thanks James
Is it possible for a maintainer to look at this ? It's a trivial change.
guzzlehttp/psr7 <= 1.8.3 has a recent Security Advisory, see https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 Improper Input Validation in guzzlehttp/psr7
@laurarodriguez-okta I saw your response in another issue here, is it possible to get the restriction on 1.7.0 removed and a new release tagged. Does it require a PR?
This change has already been done in develop branch but would need to be updated to ^1.8.4: https://github.com/okta/okta-sdk-php/blob/develop/composer.json#L23
Given this repo has been placed into "security patch only mode" - the locking of a "guzzlehttp/psr7" at "1.7.0" should be fixed under that ? See ^ Security Advisory note.
Having to use an alias in a project guzzlehttp/psr7:1.8.5 as 1.7.0
is a temporary solution only.
Could the maintainers drop a 1.4.0 release with an updated/looser guzzlehttp/psr7 constraint ? 🙏🏽
Hello,
I have a problem updating a drupal website to latest version (9.2.x) due to the fixed version of some of this package dependency :
I see that your last commit should fix it.
Do you know when the release will be done ? It prevents us to apply critical security update.
Thank you