There is a patch available at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PluggableAuth/+/1124093

Thanks for reporting this. As far as I can tell at the moment, this is not a dependency to BlueSpice, but to a "library" pulled in by composer (there was actually a small dependency in the JavaScript, but we fixed this today). There _are_ integrations into BlueSpice, but they should not cause issues.

Yes, the conflicting dependency versions are concerning. But until now we didn't expierence any issues with them. Probably because the SimpleSAMLphp classloader is only included during the login flow and not anymore once the user is logged in.

I couldn't find any occurence of utf8_encode or utf8_decode in any BlueSpice*, LDAP* of WebDAV extension anymore. Updated task description. Removing tags.

REL1_31 of Extension:LDAPProvider does not contain this code.

This as been done already

[...] Their autoloader file being used (which does just load their included composer vendor), with versions of all its own dependancies, could cause overrides and conflicts when and where MW provides them

This is a very good point. And indeed, if we include SimpleSAMLphp into the extensions composer.json file, we will at least be notified about issues at build time.

Possibly connected: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HitCounters/+/1019368

This is most likely fixed already by https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LDAPAuthentication2/+/966807

Created patch https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1074761

Patch has been merged in the meantime

I have created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageForms/+/1059063 but it is still WIP, as I didn't test it yet.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Widgets/+/1054486

Attached potential patch. Not on gerrit yet.