With the update in the README "This repo will be placed into security patch only mode" it's worth pointing out that the last tagged release of this module from 2021 locks guzzlehttp/psr7 at 1.7.0 which has vulnerabilities:
https://snyk.io/vuln/composer%3Aguzzlehttp%2Fpsr7
As the repo is in security patch mode could the authors please provide a patch to update guzzlehttp/psr7 with a relaxed ^1.8.5 constraint at the least (assuming v2.x of guzzlehttp/psr7 is incompatible).
There is a PR mentioning a release 1.3.0 linked to the develop branch but from what I can see this release was tagged from master in 2021. The develop branch has a relaxed constraint, maybe this should be merged into master and a 1.4.0 release tagged ?
While there is a vague comment about "We're excited about the acquisition of Auth0 to bring you better support in PHP" it's important that this repo is kept up to date with security releases from modules specified as requirements,even if no features are going to be added (or at least allow projects to do the same).
Hey
With the update in the README "This repo will be placed into security patch only mode" it's worth pointing out that the last tagged release of this module from 2021 locks guzzlehttp/psr7 at 1.7.0 which has vulnerabilities: https://snyk.io/vuln/composer%3Aguzzlehttp%2Fpsr7
As the repo is in security patch mode could the authors please provide a patch to update guzzlehttp/psr7 with a relaxed ^1.8.5 constraint at the least (assuming v2.x of guzzlehttp/psr7 is incompatible).
There is a PR mentioning a release 1.3.0 linked to the develop branch but from what I can see this release was tagged from master in 2021. The develop branch has a relaxed constraint, maybe this should be merged into master and a 1.4.0 release tagged ?
Refs:
While there is a vague comment about "We're excited about the acquisition of Auth0 to bring you better support in PHP" it's important that this repo is kept up to date with security releases from modules specified as requirements,even if no features are going to be added (or at least allow projects to do the same).
Thanks James