league/oauth2-server depends on lcobucci/jwt; we currently use dev-v9.0.0-alpha as 9.0.0 (!) which depends on lcobucci/jwt ^3.4||^4.0. We have v3.4.0 installed, which supports ^5.6||^7.0. There are later 3.x releases, but no support increases. v4.0.0 supports ^7.4||^8.0.
We don't have a way to support both the 3.4 version that supports 7.2 and the 4.0 version that supports 8.0, so it's unclear how we'd fix this.
We don't pin lcobucci/jwt in OAuth ourselves, so that's not an issue... For third party users, in theory, just letting composer resolve that should be fine.
The problem is when we want to migrate/support multiple PHP versions in WMF production and therefore in MediaWiki Vendor (and depending on what we set the min in MW for too).
I guess we can ignore platform requirements for a while... the 3.4 version is more likely (but not guaranteed) to work on newer PHP (maybe some polyfills to explore? ugh), rather than 4.0 on older PHP. Would indeed require some testing.
It could be something to discuss Upstream about some 3.x release to help us... Maybe...
https://packagist.org/packages/league/oauth2-server#8.3.3 has lcobucci/jwt: ^3.4.6 || ^4.0.4
We don't have a way to support both the 3.4 version that supports 7.2 and the 4.0 version that supports 8.0, so it's unclear how we'd fix this.
I think we now wait for T271736: Migrate WMF production from PHP 7.2 to PHP 7.4/T261872: Drop PHP 7.2 & 7.3 support from MediaWiki master branch, once Wikimedia production is on 7.4...
Then we can just use lcobucci/jwt 4.0.4 or higher
Just noting this is also interfering with security backports to the REL1_* branches now. See specifically:
The above are probably ok to force-merge, given their simplicity and not being directly related to the issue at all. But this obviously isn't a great situation.