Replace php-http/message-factory #1541
Comments
|
We currently rely on |
|
Hmm, can't we keep this issue open to track this? I'm trying to avoid using abandoned package dependencies. |
It looks like this is a temporary solution anyway as @stayallive said, so I don't understand why the "won't fix" end-of-discussion answer here. Unless I misunderstood the other PR, if anything this will be fix "soon". |
|
For some more context: The Symonfy HTTP Client version 6.2 and below will throw an exception if While this behaviour was removed in 6.3 and up, we can't force people to upgrade to the latest version via the SDK. We already ran into this issue in #1533, which was caused by |
|
Thank you @cleptric for the explanation, I think I understand why this is happening now. In my case, I believe this will be fixed when |
|
Hmm, can't we keep this issue open to track this? I'm trying to avoid using abandoned package dependencies. |
You are not forcing anybody to do anything. People using outdated Symfony versions are free to also keep using older sentry versions that still rely on the abandoned package. |
|
We currently support Symfony HTTP client version 4, 5 and 6. https://github.com/getsentry/sentry-php-sdk/blob/master/composer.json#L25 As I already explained, we cannot enforce the version of the Symfony HTTP client people use, hence versions 4, 5 and all versions prior 6.3 will throw an exception during runtime if we remove https://github.com/php-http/message-factory contains five interfaces and ships no actual implementation. This is a compromise I'm willing to accept for the time being. I'm happy to review a PR if anyone has a better idea. |
|
Can't people just require You even suggested this yourself here. This seems like a much better solution than forcing the abandoned package on everybody else, just because somebody misread the error message.
|
|
Our security/compliance department is unhappy with us for having an abandoned package as a dependency. |
|
We might cut a new major version in the coming weeks that would resolve this. Big emphasis on might, as there are a few constraints that would come with this. |
Same. Unfortunately we've been forced to remove Sentry because of this. |
|
Honestly, I can't understand why a security/compliance department would be so interested in complaining about the deprecation of a package that contains only interfaces and no code to maintain. Anyway, I also don't understand why we can't remove this dependency: from what I've read (I haven't followed the discussion much in the past), the problem was the initialization of the Symfony HTTP client which required the above package to be installed . The best solution in that case was to handle the initialization gracefully, not add a package that we're not even using directly (unless I'm blind) |
|
@ste93cry Most security scanning is automated nowadays. Personally I think this should be taken care of by the package that's using the deprecated dependency, rather than asking consumers of the package to add exceptions to their security pipelines. Just my opinion though. |
|
any progress here? :-) |
|
Yep, this was already fixed in the next major version of the SDK. |
What version is that? And when will it be released? Also, what is the workaround while we wait? Obviously removing sentry from my project would work but that seems like throwing the baby out with the bath water... |
|
FYI for anyone who cannot or does not want to ignore the abandoned package warnings from Composer while waiting for the next major release of the Sentry SDK: If you are not using Symfony < 6.3, and you have no other packages or code depending on "replace": {
"php-http/message-factory": "*"
},Next, run: $ composer update php-http/message-factoryThis uses Composer's replace feature to let Composer conclude that the dependency on Obviously this will break things if your code (or any of your other dependencies) actually uses any of the interfaces provided by To make sure none of your dependencies depend on the package use $ composer why php-http/message-factoryIf only Nevertheless, don't forget to remove the |
|
@abhibeckert We aim for a release later this week/early next week. This will, however, only affect users who don't use our Symfony/Laravel SDK, as we will need to cut new majors there as well. |
|
4.0.0 shipped and removed |
|
I still think you should release the PR I prepared for version |
This is exactly the reason why I haven't merged this yet. |
|
I was cautious, but if you read the description of the PR you will see that it's not possible to install the SDK with a version of the framework that does not support the required HTTP client. |
|
We released version 4.0.0 of our Laravel SDK, which includes the version bump to 4.0.0 of the PHP SDK, hence it does not require |
|
Sorry for the confusion, we shall keep this open until getsentry/sentry-symfony#783 is finished. |
|
With the release of version 5.0.0 of our Symfony SDK, all current versions of our PHP SDKs do not longer require |
How do you use Sentry?
Sentry Saas (sentry.io)
Version
3.19.0
Steps to Reproduce
Execute
composer require sentry/sentry.Expected Result
I expect
psr/http-factoryis used and no warning appears.Actual Result
The text was updated successfully, but these errors were encountered: