Problem/Motivation

guzzlehttp/psr7 has a 2.12.1 release with an SA: https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432.

As of this writing on 2026-06-18, the SA has not yet been picked up by Packagist (404 for https://packagist.org/security-advisories/GHSA-vm85-hxw5-5432, no entry in https://packagist.org/api/security-advisories/?packages[]=guzzlehttp/psr7), but in anticipation of that and composer-enforced security blocking, we should update.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3603733

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

godotislate created an issue. See original summary.

godotislate’s picture

godotislate
he/him
commented
Issue summary: View changes
godotislate’s picture

godotislate
he/him
commented

So there's a 2.12.1 security release now: https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432, so going to update branches to that.

godotislate opened merge request !16099

godotislate’s picture

godotislate
he/him
commented

The deprecations are actually coming from within the guzzle client itself. Resolving those would involve updating guzzlehttp/guzzle (and guzzlehttp/promises), which is probably out of scope here since it's likely this will need to be backported for the security updates. For now, suppressing the deprecations.

We can update guzzlehttp/guzzle in a follow up for main and 11.x (and maybe 11.4?).

godotislate opened merge request !16100

godotislate opened merge request !16101

godotislate opened merge request !16103

godotislate opened merge request !16104

godotislate opened merge request !16105

godotislate closed merge request !16104

godotislate’s picture

godotislate
he/him
commented
Title: Update guzzlehttp/psr7 to the same version in main and 11.x » Update guzzlehttp/psr7 to 2.12.1
Issue summary: View changes
godotislate’s picture

godotislate
he/him
commented
Status: Active » Needs review

MRs for main, 11.x, 11.4.x up. I explored going forward with updating guzzlehttp/guzzle for main, but while that fixed the deprecations in guzzlehttp/psr7, in introduced deprecations in Drupal test code because of the use of getConfig(): https://github.com/guzzle/guzzle/issues/2514, so going to kick that to a follow up after all.

MRs for 11.3.x and 10.6.x up as well if we want to do patch releases for them. The SA is not on Packagist yet, but we could possibly have the commits ready for a patch release in preparation.

godotislate’s picture

godotislate
he/him
commented
Issue summary: View changes
godotislate’s picture

godotislate
he/him
commented

There's been discussion on Slack based on #3599842-48: guzzlehttp/psr7 needs to be updated to >2.10.2 to fix 2 security issues whether to relax the core/composer.json constraint back to what it was before the security updates, while leaving the core-recommended and composer.lock changes in place.

godotislate’s picture

godotislate
he/him
commented

OK, relaxed the constraints for 11+ to ^2.8.0 and 10.6.x to ^2.4.5, which is what they were before the recent updates.