Update Laminas components including Diactoros

Here we go...

Oops. This suffers from the same problem described here #3104353: Upgrade to Guzzle 7

Following the instructions in https://www.drupal.org/node/3089540, from a fresh checkout:

$ composer install
$ curl https://www.drupal.org/files/issues/2020-01-06/3104354-2.patch | patch -p1
$ COMPOSER_ROOT_VERSION=9.0.x-dev composer update drupal/core zendframework/zend-diactoros

Resulting patch attached.

This is Diactoros, not Doctrine

> Update Doctrine to 2.1 » Update Diactoros to 2.1

Oh, this makes much more sense now, I was very confused about the multiple doctrine update issues ;)

Thanks, @longwave. This is more like what I expected.

$ composer-lock-diff --no-links
+------------------------------+-------+-------+
| Production Changes           | From  | To    |
+------------------------------+-------+-------+
| zendframework/zend-diactoros | 1.8.7 | 2.2.1 |
| psr/http-factory             | NEW   | 1.0.1 |
+------------------------------+-------+-------+

So the only side-effect is the addition of psr/http-factory, which is literally just interfaces and seems reasonable to me. But I'll let someone more knowledgeable in the matter RTBC this.

When we add a new dependency, we need to vet it (and all of its dependencies, if any). You can find an example in #3036210: Add justinrainbow/json-schema as a composer dependency so JSON:API can use it to validate its responses.

psr/http-factory is the set of interfaces required for the PSR-17 HTTP Factories standard, provided and maintained by PHP-FIG and documented at https://www.php-fig.org/psr/psr-17/. It has no dependencies other than PHP 7 and psr/http-message:^1.0 (which is already a dependency of three other packages we use). It is not expected to receive any updates, security or otherwise.

@longwave That's what I figured — but it's that kind of information that needs to be added to the issue summary to make it crystal clear for any community member to discover, and especially for framework managers and core committers :)

Updated IS.

I added psr/http-factory and psr/http-messages to the core dependency page, but I couldn't find any publicly posted details on release cycles and security policies. So I left those cells blank and asked about them on the PHP-FIG mailing list. I'll add the missing details as soon as they're provided.

I received the following response and updated the core dependency page:

PSR specs basically don't change at all. Sometimes we release a .z release to fix a comment typo or something like that, but that's about it.

We just recently approved a new process to release BC or almost entirely BC versions of an interface. So far it's not been used, although I am trying it out with PSR-13. Any new releases there would follow semver very conservatively.

We don't really have a security release process for them, as they're just interfaces.

The util packages might. For those... we don't really have a formal process right now. We might want to look into that at some point, but as the code is generally just the boring mundane stuff the odds of there being a security issue in one of those is slim.

--Larry Garfield

#3104015: Replace ZendFramework/* dependencies with their Laminas equivalents, which looks like it will remove Diactoros altogether, should render this issue obsolete.

@xjm, I'll add more detail to the dependencies page.

Oh, I was imprecise. I meant that zendframework/zend-diactoros is removed, being replaced by laminas/zend-diactoros. But you're right, @xjm: the version won't be updated in the other issue, so we'll still need to do this.

Re: #15, I expanded the Core dependency documentation page to include the details from #14.

The laminas issue has landed - we can now upgrade the laminas components here.

$ composer-lock-diff --no-links
+---------------------------+-------+-------+
| Production Changes        | From  | To    |
+---------------------------+-------+-------+
| laminas/laminas-diactoros | 1.8.7 | 2.2.2 |
| psr/http-factory          | NEW   | 1.0.1 |
+---------------------------+-------+-------+

We actually get 2.2 here!

As there are no code changes here can we update all the laminas components here? Doing updates one component at a time feels very piecemeal.

The Zend bridge can go up by a point release, but the rest are already at their latest versions (double checked at GitHub that there are no new major versions)

$ COMPOSER_ROOT_VERSION=9.0.x-dev composer update drupal/core laminas/laminas-diactoros laminas/laminas-escaper laminas/laminas-feed laminas/laminas-stdlib laminas/laminas-zendframework-bridge
...
$ composer-lock-diff --no-links
+--------------------------------------+-------+-------+
| Production Changes                   | From  | To    |
+--------------------------------------+-------+-------+
| laminas/laminas-diactoros            | 1.8.7 | 2.2.2 |
| laminas/laminas-zendframework-bridge | 1.0.0 | 1.0.1 |
| psr/http-factory                     | NEW   | 1.0.1 |
+--------------------------------------+-------+-------+

@longwave yep I've just looked at composer show -i and https://framework.zend.com/long-term-support (still the easiest place to see the latest version numbers) and you're right. Nice one.

I've updated the issue summary to be more specific about which diactoros is being updated.

Needs a re-roll (probably due to the PHP 7.3 patch).

Back to RTBC (but waiting for the bot to come back green).

@xjm #30 is correct - this has been seen before - that part of the diff is part of the composer/composer info in the lock file. We're removing the bin directory from composer in \Drupal\Composer\Plugin\VendorHardening\Config::$defaultConfig so there's nothing to link so vendor/bin doesn't contain composer. So I think it is fine to remove it - it's meaningless and if it comes back it doesn't really matter either. I've tried regenerating the patch and this is always getting removing using the latest stable version of composer. So I'd leave this removal in - it's not going to cause problems.