lcobucci/clock needs upgrading for PHP 8.3
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Sep 18 2025, 7:18 PM

Description

In T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support we upgrade to "lcobucci/clock": "2.3.0",

https://packagist.org/packages/lcobucci/clock#2.3.0 php: ~8.1.0 || ~8.2.0

But those patches fail on PHP 8.3+ as seen in https://integration.wikimedia.org/ci/job/quibble-vendor-mysql-php83/13283/console

20:14:44   Problem 1
20:14:44     - lcobucci/clock is locked to version 2.3.0 and an update of this package was not requested.
20:14:44     - lcobucci/clock 2.3.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.3.24) does not satisfy that requirement.
20:14:44   Problem 2
20:14:44     - web-auth/webauthn-lib is locked to version 4.9.2 and an update of this package was not requested.
20:14:44     - lcobucci/clock 2.3.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.3.24) does not satisfy that requirement.
20:14:44     - web-auth/webauthn-lib 4.9.2 requires lcobucci/clock ^2.2|^3.0 -> satisfiable by lcobucci/clock[2.3.0].

https://packagist.org/packages/lcobucci/clock#3.3.1 php: ~8.2.0 || ~8.3.0 || ~8.4.0
https://packagist.org/packages/lcobucci/clock#3.2.0 php: ~8.2.0 || ~8.3.0
https://packagist.org/packages/lcobucci/clock#3.1.0 php: ~8.2.0
https://packagist.org/packages/lcobucci/clock#3.0.0 php: ~8.1.0 || ~8.2.0

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Add okvpn/clock-lts as requirement	mediawiki/core	master	+1 -0
	Upgrade web-auth/webauthn-lib and dependencies...	mediawiki/vendor	master	+46 K -74 K

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T376276 PHP 8.4: Implicitly nullable parameter declarations deprecated
Open	None	T379587 PHP 8.4: Implicitly nullable parameter declarations deprecated in 3rd party vendor libs
Open	Reedy	T378424 PHP 8.4: Implicitly nullable parameter declarations deprecated in qrcode vendor libs
Open	None	T366644 Raise MediaWiki's MariaDB requirement to 10.6
Open	None	T366646 Raise Quibble jobs' tested version of MariaDB to 10.6
Open	None	T405344 Upgrade web-auth/webauthn-lib to >= 5.2.2
Open	None	T358667 Drop PHP 8.2 support from MediaWiki
Open	None	T405346 Remove lcobucci/clock (or replacement) post WMF PHP 8.3 upgrade
Open	None	T358666 Drop PHP 8.1 support from MediaWiki
Open	Krinkle	T360995 Migrate Wikimedia production from PHP 8.1 to PHP 8.3
Resolved	Krinkle	T405031 lcobucci/clock needs upgrading for PHP 8.3
Resolved	Tgr	T363639 web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support

Event Timeline

Reedy created this task.Sep 18 2025, 7:18 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2025, 7:18 PM

Reedy added a subtask: T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support.Sep 18 2025, 7:18 PM

Reedy updated the task description. (Show Details)Sep 18 2025, 7:21 PM

Reedy updated the task description. (Show Details)

Reedy added a parent task: T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3.

Novem_Linguae subscribed.Sep 18 2025, 7:25 PM

Upstream has declined supporting PHP 8.1 and 8.3 in the same release:

https://github.com/lcobucci/clock/issues/685

I now understand your constraints and you indeed won't be able to have a single lock file that will be usable for both php 8.1 and 8.3 using this library.

The policy I follow for PHP version support in my libs don't accommodate for what you need.

The irony is that the package works fine on PHP 8.1, it's just an artifically strict requirement.

The author suggested overriding platform dependencies, but htat's not workable as it would mean everyone installing it, including CI, has to specify this. It would fail by default for anyone trying to install it.

Someone has forked the package at https://github.com/okvpn/clock-lts, which literally just loosens the PHP requirement and declares to Composer that it is a replacement to satisfy lcobucci/clock dependencies elsewhere. That should do the trick.

Thanks!

Hopefully we’ll get the WebAuthn patch landed soon, and then we can update to using that to help ease the transition!

Change #1159483 had a related patch set uploaded (by Krinkle; author: Reedy):

[mediawiki/vendor@master] Upgrade web-auth/webauthn-lib and dependencies...

https://gerrit.wikimedia.org/r/1159483

gerritbot added a project: Patch-For-Review.Sep 19 2025, 7:21 PM

Reedy moved this task from Backlog to Wikimedia production on the PHP 8.3 support board.Sep 22 2025, 7:34 AM

Change #1159483 merged by jenkins-bot:

[mediawiki/vendor@master] Upgrade web-auth/webauthn-lib and dependencies...

https://gerrit.wikimedia.org/r/1159483

Maintenance_bot removed a project: Patch-For-Review.Sep 23 2025, 9:30 AM

Can we declare this Resolved? Do we want a task for switching back once we drop 8.1 support?

It's a good question. The task itself is resolved

https://github.com/lcobucci/clock/commits/3.4.x/ seems to not get much actual development activity, mostly (a lot of) package bumping.

If https://github.com/okvpn/clock-lts continues to follow upstream updates in a timely fashion, is there much point swapping back?

In T405031#11205045, @Reedy wrote:

If https://github.com/okvpn/clock-lts continues to follow upstream updates in a timely fashion, is there much point swapping back?

Well, any ways in which we deviate from "normal" is a minor increase in risk from lower coverage / exposure to issues in the wider install community. But it's certainly not absolutely required.

Reedy closed this task as Resolved.Sep 23 2025, 11:43 AM

Reedy assigned this task to Krinkle.

Reedy added a parent task: T405346: Remove lcobucci/clock (or replacement) post WMF PHP 8.3 upgrade.Sep 23 2025, 12:26 PM

Reedy closed subtask T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support as Resolved.

Reedy mentioned this in T405346: Remove lcobucci/clock (or replacement) post WMF PHP 8.3 upgrade.

Change #1201221 had a related patch set uploaded (by Arlolra; author: Arlolra):

[mediawiki/core@master] Add okvpn/clock-lts as requirement

https://gerrit.wikimedia.org/r/1201221

gerritbot added a project: Patch-For-Review.Mon, Nov 3, 8:25 PM

Change #1201221 abandoned by Arlolra:

[mediawiki/core@master] Add okvpn/clock-lts as requirement

Reason: