Page MenuHomePhabricator

A composer dependency of OAuth extension contains PHP 8.0 syntax
Open, Needs TriagePublicBUG REPORT

Description

List of steps to reproduce (step by step, including full links if applicable):

What happens?:

/OAuth/vendor/lcobucci/clock/src/SystemClock.php:13 contains the constructor property promotion syntax, so the extension is not compatible with PHP versions older than 8.0.

What should have happened instead?:

There should be no PHP 8.0 syntax because the support of PHP 7.x is not dropped.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:

REL1_37

Event Timeline

lcobucci/clock isn't specifically pinned... So I'm guessing ext-dist is running PHP 8?

Possibly related to T293055: Switch extdist to Bullseye and composer Debian package ?

We can pin lcobucci/clock rather lcobucci/jwt (which requires lcobucci/clock, but only in require from version 4.0) to 2.0.0 as that supports PHP 7.4, and as such on release branches is perfectly fine.

https://packagist.org/packages/lcobucci/clock#2.0.0
https://packagist.org/packages/lcobucci/clock#2.1.0

This doesn't actually solve it for master, as master needs to support PHP 7.2, but meh there.

Change 789953 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_37] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

https://gerrit.wikimedia.org/r/789953

Change 789954 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_38] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

https://gerrit.wikimedia.org/r/789954

Change 789955 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_36] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

https://gerrit.wikimedia.org/r/789955

Change 789956 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_35] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

https://gerrit.wikimedia.org/r/789956

Change 789953 abandoned by Reedy:

[mediawiki/extensions/OAuth@REL1_37] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

Reason:

https://gerrit.wikimedia.org/r/789953

Change 789954 abandoned by Reedy:

[mediawiki/extensions/OAuth@REL1_38] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

Reason:

https://gerrit.wikimedia.org/r/789954

Change 789955 abandoned by Reedy:

[mediawiki/extensions/OAuth@REL1_36] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

Reason:

https://gerrit.wikimedia.org/r/789955

Change 789956 abandoned by Reedy:

[mediawiki/extensions/OAuth@REL1_35] composer.json: Explicitly pin lcobucci/clock to ~2.0.0

Reason:

https://gerrit.wikimedia.org/r/789956

Scrap that. We only bumped to 7.3 in release branches, not 7.4, where the version jump is there.

If we do pin lcobucci/jwt to 3.4.6, it means anyone running release branch OAuth on PHP 8 will have incompatible libraries, and would need to modify composer.json to get it working.

Someone is going to have to run composer update --no-dev somewhere sometime...

Legoktm added a subscriber: Legoktm.

lcobucci/clock isn't specifically pinned... So I'm guessing ext-dist is running PHP 8?

Correct. I'm going to untag extdist for now since I don't think there's any issue on that end but please retag in case I'm wrong.