Require patched Guzzle and PSR-7 versions by GrahamCampbell · Pull Request #437 · php-opencloud/openstack · GitHub
Skip to content

Require patched Guzzle and PSR-7 versions#437

Merged
k0ka merged 1 commit into
php-opencloud:masterfrom
GrahamCampbell:gc/require-patched-guzzle-psr7
Jun 1, 2026
Merged

Require patched Guzzle and PSR-7 versions#437
k0ka merged 1 commit into
php-opencloud:masterfrom
GrahamCampbell:gc/require-patched-guzzle-psr7

Conversation

@GrahamCampbell

Copy link
Copy Markdown
Contributor

Security hardening. Versions that exist before GuzzleHttp\Psr7\Utils have CVEs published for them, and our PSR-7 v3 library will have breaking changes, so you will want to control when the upgrade to that is allowed.

@k0ka

k0ka commented May 24, 2026

Copy link
Copy Markdown
Member

@GrahamCampbell

Copy link
Copy Markdown
Contributor Author

I don't agree. Moreover, allowing PSR-7 v3 would cause real issues. If people really want to use super old insecure code, composer will still let them do it by resolving an older version of your library, or by pretending their older version of guzzle is a newer version using the as syntax.

@GrahamCampbell

Copy link
Copy Markdown
Contributor Author

It is very common for people to bump versions of dependencies in patch and minor releases across the PHP ecosystem, both among packages that claim they follow semver, but do a bad job, and those that actually follow it well.

@k0ka k0ka merged commit 8b0aa94 into php-opencloud:master Jun 1, 2026
16 checks passed
@k0ka

k0ka commented Jun 1, 2026

Copy link
Copy Markdown
Member

Ok, let's try it.
Thanks for PR.

@k0ka k0ka removed the next release label Jun 1, 2026
@GrahamCampbell GrahamCampbell deleted the gc/require-patched-guzzle-psr7 branch June 1, 2026 17:03
@GrahamCampbell

Copy link
Copy Markdown
Contributor Author

:shipit:

@GrahamCampbell

GrahamCampbell commented Jun 1, 2026

Copy link
Copy Markdown
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants