Overall this looks good, and no major issues were found other than what is listed below. As long as schema locations are validated and/or limited to known locations, this should be fine.
- Code is well-commented and well-documented
- Upstream project remains under active development
- Library may be used to make requests to arbitrary URLs, if user-supplied input is used directly to determine schema locations
Configuration and Use Recommendations
Avoid loading of remote files, and remote reference resolution if possible. If this is required functionality, use the JsonSchema\Uri\Retrievers\Curl and ensure that reference resolution is limited to prevent DoS via recursive expansion. Validate input supplied as schema locations to prevent arbitrary requests via UriRetrievers.