okta-sdk-php icon indicating copy to clipboard operation
okta-sdk-php copied to clipboard

Published 20 hours ago verified publisher icon okta

Require dependencies block Drupal update

Open benconda opened this issue 3 years ago • 4 comments

Hello,

I have a problem updating a drupal website to latest version (9.2.x) due to the fixed version of some of this package dependency :

Problem 1 - Root composer.json requires drupal/core-recommended 9.2.4 -> satisfiable by drupal/core-recommended[9.2.4]. - You can only install one version of a package, so only one of these can be installed: guzzlehttp/psr7[dev-master, 1.0.0, ..., 1.x-dev, 2.0.0-beta1, 2.0.0-rc1, 2.0.0]. - okta/sdk 1.3.0 requires guzzlehttp/psr7 1.7.0 -> satisfiable by guzzlehttp/psr7[1.7.0]. - drupal/core-recommended 9.2.4 requires guzzlehttp/psr7 1.8.2 -> satisfiable by guzzlehttp/psr7[1.8.2]. - okta/sdk is locked to version 1.3.0 and an update of this package was not requested.

I see that your last commit should fix it.

Do you know when the release will be done ? It prevents us to apply critical security update.

Thank you

benconda avatar Aug 20 '21 08:08 benconda

Hi

okta/sdk 1.3.0 has a dependency "guzzlehttp/psr7": "1.7.0", See: https://github.com/okta/okta-sdk-php/blob/1.3.0/composer.json#L23

This precludes guzzlehttp/psr7 1.8 from being used (https://github.com/guzzle/psr7/blob/1.8.3/CHANGELOG.md)

A workaround is to install using an alias:

composer require "guzzlehttp/psr7:1.8.3 as 1.7.0"

There might be a very good reason for guzzlehttp/psr7 being locked at 1.7.0 in okta/sdk, but if not it would be great if the maintainers could push out a 1.3.1 release with the requirement at ^1.7.0 🙏🏽

If a project needs guzzlehttp/psr7 at 1.7.0 it can lock that in as a root requirement.

Thanks James

JamesDPC avatar Nov 23 '21 23:11 JamesDPC

Is it possible for a maintainer to look at this ? It's a trivial change.

JamesDPC avatar Jan 18 '22 03:01 JamesDPC

guzzlehttp/psr7 <= 1.8.3 has a recent Security Advisory, see https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 Improper Input Validation in guzzlehttp/psr7

@laurarodriguez-okta I saw your response in another issue here, is it possible to get the restriction on 1.7.0 removed and a new release tagged. Does it require a PR?

This change has already been done in develop branch but would need to be updated to ^1.8.4: https://github.com/okta/okta-sdk-php/blob/develop/composer.json#L23

JamesDPC avatar Mar 24 '22 08:03 JamesDPC

Given this repo has been placed into "security patch only mode" - the locking of a "guzzlehttp/psr7" at "1.7.0" should be fixed under that ? See ^ Security Advisory note.

Having to use an alias in a project guzzlehttp/psr7:1.8.5 as 1.7.0 is a temporary solution only.

Could the maintainers drop a 1.4.0 release with an updated/looser guzzlehttp/psr7 constraint ? 🙏🏽

JamesDPC avatar May 23 '22 05:05 JamesDPC