Up `guzzle/psr7` version constraint

Question

Up `guzzle/psr7` version constraint

Closed this issue 4 months ago · 10 comments

Hi!
Due to issues with guzzle:
GHSA-25mq-v84q-4j7r
GHSA-q559-8m2m-g699

Please up guzzle/psr7 version constraint to ~2.1 OR ^2.4.0. This allows to instal latest guzzlehttp/guzzle.

Answer 1 · 2022-06-22T12:13:12.000Z

I've had endless problems with this and don't want to risk breaking things here. This library uses guzzlehttp/guzzle-services which has caused dependency conflicts in the past, see issue #12.

I've tried your proposed change on master and all is fine in my test env. Can you confirm this works? I don't know enough about this to know if this change will introduce problems for others. Please advise if you do.

Answer 2 · 2022-06-24T14:31:56.000Z

As for me, works like a charm and now I could put back roave/security-advisories to composer.json.
So I`m happy 😉.

My env:
PHP 8.1
Laravel 8
with packages by composer show | grep guzzle

guzzlehttp/command           1.2.2   Provides the foundation for building command-based web service clients
guzzlehttp/guzzle            7.4.5   Guzzle is a PHP HTTP client library
guzzlehttp/guzzle-services   1.3.2   Provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures.
guzzlehttp/promises          1.5.1   Guzzle promises library
guzzlehttp/psr7              2.4.0   PSR-7 message implementation that also provides common utility methods
guzzlehttp/uri-template      v1.0.1  A polyfill class for uri_template of PHP

Answer 3 · 2022-12-07T08:31:55.000Z

It looks like the fix applied broke things. We cannot update from 2.0.10 to the loco version 2.0.11:

composer update loco/loco:2.0.11 --dry-run -W
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - guzzlehttp/guzzle-services 1.3.1 requires guzzlehttp/guzzle ^7.3 -> found guzzlehttp/guzzle[7.3.0, ..., 7.5.0] but these were not loaded, likely because it conflicts with another require.
    - guzzlehttp/guzzle-services 1.3.2 requires guzzlehttp/guzzle ^7.4.1 -> found guzzlehttp/guzzle[7.4.1, ..., 7.5.0] but these were not loaded, likely because it conflicts with another require.
    - loco/loco 2.0.11 requires guzzlehttp/guzzle-services ~1.3.1 -> satisfiable by guzzlehttp/guzzle-services[1.3.1, 1.3.2].
    - Root composer.json requires loco/loco ^2.0 -> satisfiable by loco/loco[2.0.11].

Answer 4 · 2022-12-07T09:21:31.000Z

In my understanding

"guzzlehttp/guzzle-services": "~1.3.1",
"guzzlehttp/psr7": "~2.1|^2.4.0",

should be changed to

"guzzlehttp/guzzle-services": "^1.1",
"guzzlehttp/psr7": "^1.8|^2.1",

Answer 5 · 2022-12-07T09:30:23.000Z

Every release gives me problems with this dependency. I get regular requests for tweaks to composer.json which work for individuals, but every time it breaks for someone else.

Please submit a PR for your proposed change and I will merge into master.

Answer 6 · 2022-12-07T09:48:45.000Z

Done - #19.

Answer 7 · 2022-12-16T09:24:19.000Z

@timwhitlock any chance for a new release with this fix?

Answer 8 · 2022-12-16T09:49:36.000Z

This was a blind fix for me. If all three people on this thread can confirm it works I'll make a release.

Answer 9 · 2022-12-16T12:59:48.000Z

we installed the latest dev-master and it worked fine for us

Answer 10 · 2023-05-05T10:02:52.000Z

A new release is imminent. Does anyone else on this thread have a problem with the new composer settings?
I'd be grateful if those affected could update master and check. Thanks.