Outdated dependency packages

[fitztrev]

As of Laravel 5.7.16, laravel/framework has this package in its dependency tree. As a result, nexmo/client is being installed a lot, even for apps that don't use Nexmo.

When running $ composer outdated, these are the packages that show as outdated from nexmo/client:

Package                      Installed  Latest   Description
============================================================================
php-http/guzzle6-adapter     v1.1.1     v2.0.0   Guzzle 6 HTTP Adapter
php-http/httplug             v1.1.0     v2.0.0   HTTPlug, the HTTP client abstraction for PHP
ralouphie/getallheaders       2.0.5      3.0.1   A polyfill for getallheaders.
zendframework/zend-diactoros  1.8.6      2.0.1   PSR HTTP Message implementations

Ref: laravel/framework#26689

[mheap]

Thanks for raising this @fitztrev . As these are all major version upgrades we need to be careful when upgrading.

It's on my list, and I'll take a look to see what we can do

[arubacao]

The upgrade is easy. Only thing to keep in mind is the PHP version constraint of https://github.com/php-http/guzzle6-adapter ^7.1.
This constraint is reasonable since only versions above 7.1 are supported and 5.6 is holding this package back.

[mheap]

5.6 is out of security support at the end of this year, so we'll be evaluating our minimum version in 2019.

The upgrade is technically easy to do, but we've got to consider our users. If anyone is using Guzzle6 1.x and we increase the dependency to 2.x they will not be able to use new versions of the library.

Instead, this could be an opportunity for a new major version of nexmo/php, targeting 7.2 (LTS) onwards with up to date dependencies and a few changes that we'd like to make

[jaikdean]

Updating those packages would change the implicit PHP version requirement of this package to ^7.1, so it should definitely be a new major version of this package. I'd love this to happen as the php-http/httplug dependency is holding us back from updating other things in one of our apps.

[fitztrev]

Laravel 5.8 has been released and the nexmo/client package is no longer a required package. It's only installed if you add the optional laravel/nexmo-notification-channel (see upgrade docs).

So while this no longer affects me, I'll leave the ticket open and let the maintainers determine how they want to handle it. Thank you for your reply and attention to the matter, though. I understand the need to be careful when upgrading these dependencies.

[lornajane]

In case anyone is following along. We updated the zend-diactoros dependency which should help some of these issues - upgrade to 1.8.1 or later for that fix. The PHP 7.1 upgrade will follow and we've also got our eyes on the httplug/guzzle dependencies, we promise!

[lornajane]

With a new major release of nexmo/client at v2.0 yesterday, I hope that this will solve the last of these issues (all the credit goes to @dragonmantank who has been sorting all of this out!). If you use another HTTP client then you should instead install the nexmo/client-core package. Please let us know how you get on!