Calvin Alkan

`There is no installed package depending on "guzzlehttp/psr7"` please have a look at the reproducer repo I created. I documented all steps to reproduce this. https://github.com/calvinalkan/composer-bug

@Seldaek what if codeception drops the dependency on guzzle? Then all of a sudden composer install would fail and you would have a really hard time tracking down why.

What is the reasoning behind the HMAC ? Just use libsodium to generate a random key on activation and write it to wp-config. wp_salt must not be used here as...

It might not be possible to write to it on some hosts. That should not compromise the security of the majority. But regardless, hashing the key does not seem to...

Any reason not to use https://paragonie.com/book/pecl-libsodium/read/04-secretkey-crypto.md ?

> Secretbox is secure encryption, but not AEAD. > > AEAD lets you authenticate both some encrypted data _and_ additional data. This lets you bind an encrypted value to some...

> Correct. That's why we want AEAD instead of just authenticated encryption. I don't think this will work since it seems that the plugin does not have a build step...

@Naktibalda https://github.com/symplify/monorepo-builder This hoists all vendor deps to the root codeception.yml

@Naktibalda Why is that relevant tho? Do you think that this is a bug, if yes Ill create a PR.

@DavertMik sure, I'm still finding some bugs related to multi-app setups. I suppose they are also present in v5. Would submitting a PR to 4.X work for you and you...