There is a security issue with "guzzlehttp/guzzle" in version
- 6.5.6 which is currently bundled with MediaWiki LTS version 1.35 (branch REL1_35)
- 7.2.0 which is currently bundled with MediaWiki current stable version 1.37 (branch REL1_37)
- 7.4.1 which is currently bundled with MediaWiki current stable version 1.38 (branch REL1_38)
- 7.4.1 which is currently bundled with MediaWiki master
See
- https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 -> "Change in port should be considered a change in origin"
- https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r -> "CURLOPT_HTTPAUTH option not cleared on change of origin"
Both issues are probably not a threat to MediaWiki, given the way the library is used, yet the library should be updated.
See also T309377