Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I ran into a compatibility issue between Zend Diactoros and Symfony psr-http-message-bridge as pointed out in #3045306-6: Paypal payment fails with InvalidArgumentException in MessageTrait .
Either Diactoros should stay at 1.8.5 or Symfony psr-http-message-bridge should be upgraded to 1.2.0. However psr-http-message-bridge 1.2.0 requires PHP 7.1, hence it was not installed on my php 7.0 Debian 9 (stable) box.
So I would see three solutions:
- ❌
Pin Diactoros to 1.8.5. - ✅
Create an alternative version of psr-http-message-bridge (eg. 1.1.2) which would fix the issue but not require php 7.1.Done — see #8. - ❌
Or a very harsh measure: have Drupal require php 7.1. (it is EOL, but still part of eg. Debian Stable)
What is the preferred Drupal way in this? I'd be happy to relay this issue to the psr-http-message-bridge repo.
Comment | File | Size | Author |
---|---|---|---|
#18 | 3045483-17-8.8.x.patch | 576 bytes | Wim Leers |
#18 | 3045483-17-8.7.x.patch | 597 bytes | Wim Leers |
#10 | 3045483-10.patch | 576 bytes | Wim Leers |
Comments
Comment #2
alexpottI think we should try to fix this upstream. I think we need to change line from
to
Comment #3
mikelutzhttps://github.com/symfony/psr-http-message-bridge/pull/64 . There's the started (not by me) PR
https://github.com/symfony/psr-http-message-bridge/commit/8592ca33533224... . There's a conversation about it
Comment #4
alexpottThere is an upstream issue already - see https://github.com/symfony/psr-http-message-bridge/pull/64@mikelutz got there first :)
We should update the issue summary to say that that is the preferred solution.
Comment #5
alexpottSo https://github.com/symfony/psr-http-message-bridge/pull/64 is now merged upstream so we're waiting on a release.
Comment #6
RandomNeighbour CreditAttribution: RandomNeighbour commentedComment #7
RandomNeighbour CreditAttribution: RandomNeighbour commentedGreat! Thanks for commenting at the PR @alexpott. Seems they merged it quickly after that.
Comment #8
alexpottAlso a new release has been tagged too! https://github.com/symfony/psr-http-message-bridge/tree/v1.1.2 is out.
I think we should add a conflicts to core/composer.json for 1.1.1 and be done here.
Comment #9
jibran#3039611-27: Update core PHP dependencies for 8.8.x is discussing the same issue. Thanks, for creating the issue.
Comment #10
Wim Leers#8: I think alternatively we can require
^1.1.2
?This patch does that. Interestingly, our
composer.lock
already lists 1.1.2 since #3045967: Update Symfony components (3.4.24) and Twig (1.38.4) to latest bugfix release! 🤔Comment #11
Wim LeersComment #12
mikelutz@Wim -
There are a few additional discrepancies where our composer.lock has higher versions than the composer.json minimum, a few of which also cause problems if someone does a composer downgrade as shown in #3044175: [DO NOT COMMIT] Vendor minimum testing issue
I wonder if it would be best to create an issue to attempt to address all of them at once (including running the min/max testings on all 3 currently supported php versions and making sure we aren't missing anything else)
The examples above and the two min/max issues only test for full min/max vendor versions. This example in this thread requires one library at composer minimum and another not at composer minimum, and there isn't much we can do about that in drupal. The conflict here ideally should have been resolved with dependency management in either diactros or message bridge, but there isn't much we can do about it now other than set our minimums for both above the problem versions. We can't realistically test every allowed vendor version combination, unfortunately.
Comment #13
Wim LeersThanks for that background information, @mikelutz! Very helpful :)
That being said, what you're describing is only tangentially related to this issue. The only reason I even brought it up is because core committers would and should expect that this patch also updates
composer.lock
, but it does not. Because that already happened elsewhere — be that by accident or not, it does not matter. What matters is that that means the scope of changes made by this patch is even smaller!Any reason we shouldn't RTBC and commit this?
Comment #14
Wim LeersComment #15
Wim LeersComment #16
Wim Leers@alexpott indicated that @mikelutz would hopefully RTBC this, so assigning to him :)
Comment #17
mikelutzYes, this is an obvious oversight. It should be backported to 8.7 as well, but will need a new patch due to recent composer changes in 8.8.
Comment #18
Wim LeersOf course, done. The 8.7
composer.lock
already lists 1.1.2 as well, so there too we only have to updatecomposer.json
.Comment #19
jibranWe can also pin
"zendframework/zend-diactoros": "<=1.7.2"
see #3039611-36: Update core PHP dependencies for 8.8.xComment #20
jibranIs this a duplicate of #2989631: Update zend-framework component dependencies?
Comment #21
Wim Leers#19: that would prevent future updates, which would move us to a less future-compatible place?
#20: AFAICT
symfony/psr-http-message-bridge
<1.1.2 is incompatible withzendframework/zend-diactoros
>1.8.5 and #2989631: Update zend-framework component dependencies bumps the minimum to 1.8.6.This issue is not about updating, it's only about fixing a compatibility issue. hence the tiny scope.
Comment #22
alexpottCommitted c7ad1c7 and pushed to 8.8.x. Thanks!
I agree that we probably should backport this to 8.7.x as our dependencies are currently incorrect and if you install with prefer lowest you can end up with a broken site but I'm going to ping a release manager before backporting.
Comment #24
alexpottDiscussed with @catch and agreed to backport.
Committed 321576f and pushed to 8.7.x. Thanks!
Comment #27
xjmCherry-picked to 8.7.x. Edit: now I see why the cherry pick gave strange messages. Sorry, I got pinged about this issue in a different channel and cross-posted. Harmless I think; just noise in the commit log.
Comment #29
xjmI should have noticed this before, but... When we change dependency constraints we should mention it in the release notes, especially for patch releases where this is an unusual occurrence. I wrote a release note for this, but for the future, any changes to
composer.json
andcomoposer.lock
are worth considering for release notes. Especially when it's a minor update in a patch release as in this issue.