Drop PHP 7.1 support; tighten phpunit constraint (closes Dependabot alert)#608
Open
JayBizzle wants to merge 1 commit into
Open
Drop PHP 7.1 support; tighten phpunit constraint (closes Dependabot alert)#608JayBizzle wants to merge 1 commit into
JayBizzle wants to merge 1 commit into
Conversation
Closes the open Dependabot alert on phpunit/phpunit (GHSA-vvj3-c3rp-c85p — unsafe deserialization in PHPT code coverage handling, fixed in 8.5.52). The previous require-dev constraint `^4.8|^5.5|^6.5|^7.5|^8.5.52|^9.4` still let composer resolve a vulnerable phpunit on PHP 7.1, because 8.5.52 needs PHP 7.2+. Changes: - composer.json: phpunit/phpunit narrowed to `^8.5.52|^9.4`. - composer.json: runtime requirement bumped from `>=7.1.0` to `>=7.2.0` to reflect that we no longer test or attest PHP 7.1. PHP 7.1 has been EOL since December 2019. - test.yml: PHP 7.1 dropped from the matrix. src/ does not use any PHP 7.2+ syntax, so the library itself is unaffected. Existing 7.1 installs simply won't pull the new release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the open Dependabot alert on
phpunit/phpunit(GHSA-vvj3-c3rp-c85p — unsafe deserialization in PHPT code coverage handling, fixed in8.5.52).The previous
require-devconstraint^4.8|^5.5|^6.5|^7.5|^8.5.52|^9.4still let composer resolve a vulnerable phpunit on PHP 7.1, because8.5.52requires PHP 7.2+. To actually close the alert we need to stop testing on 7.1 — and to be honest about that, the runtime constraint should move too.Changes
composer.json:phpunit/phpunitnarrowed to^8.5.52|^9.4.composer.json: runtimephpbumped from>=7.1.0to>=7.2.0. PHP 7.1 has been EOL since December 2019..github/workflows/test.yml: PHP 7.1 dropped from the matrix.Release versioning
I'd tag the resulting release as
v1.4.0(minor bump from currentv1.3.11). The library's public API andsrc/are untouched — no 7.2+ syntax in use — so this isn't strictly a breaking change for code. The composer constraint bump is the policy change being signalled; existing PHP 7.1 installs simply won't pullv1.4.0from packagist.Test plan
vendor/bin/phpunitgreen locally on PHP 8.4 (19 tests, 2,274,786 assertions)composer update --dry-runresolvesphpunit/phpunitto9.6.34(above the 9.6.33 patched cutoff)🤖 Generated with Claude Code