From 645d1853082a47413017ccaf6fe0f2d84a5f7a67 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Tue, 21 Jan 2025 12:08:00 +0100 Subject: [PATCH 01/34] GH Actions: add actionlint job While GH Actions will fail runs of scripts which contain syntax errors, it isn't always that straight forward to see what's wrong. The `actionlint` package helps with that by providing more informative error messages. Actionlint also checks for a number of best practice to help keep the GH Actions scripts secure and working. Ref: https://github.com/rhysd/actionlint --- .github/workflows/cs.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 6b0ef4b0a..79c892e10 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -14,6 +14,28 @@ concurrency: cancel-in-progress: true jobs: + actionlint: #---------------------------------------------------------------------- + name: 'Check GHA workflows' + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Add problem matcher + if: ${{ github.event_name == 'pull_request' }} + shell: bash + run: | + curl -o actionlint-matcher.json https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json + echo "::add-matcher::actionlint-matcher.json" + + - name: Check workflow files + env: + SHELLCHECK_OPTS: --exclude=SC2129 + uses: docker://rhysd/actionlint:latest + with: + args: -color + phpcs: #---------------------------------------------------------------------- name: 'PHPCS' runs-on: ubuntu-latest From 0a114e827868a4d0b1f214c85d1c91ec2768bf0d Mon Sep 17 00:00:00 2001 From: jrfnl Date: Tue, 21 Jan 2025 12:08:00 +0100 Subject: [PATCH 02/34] GH Actions: various script tweaks Various tweaks to allow the scripts to pass the actionlint and shellcheck checks. --- .github/workflows/quicktest.yml | 10 +++++----- .github/workflows/test.yml | 10 +++++----- .github/workflows/update-cacert.yml | 18 +++++++++--------- .github/workflows/update-website.yml | 20 ++++++++++---------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 7658e7767..3689feab5 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -64,7 +64,7 @@ jobs: - name: Start test server run: | PORT=8080 vendor/bin/start.sh - echo "REQUESTS_TEST_HOST_HTTP=localhost:8080" >> $GITHUB_ENV + echo "REQUESTS_TEST_HOST_HTTP=localhost:8080" >> "$GITHUB_ENV" - name: Ping localhost domain run: ping -c1 localhost @@ -73,10 +73,10 @@ jobs: run: | PORT=9002 tests/utils/proxy/start.sh PORT=9003 AUTH="test:pass" tests/utils/proxy/start.sh - echo "REQUESTS_HTTP_PROXY=localhost:9002" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH_PASS=pass" >> $GITHUB_ENV + echo "REQUESTS_HTTP_PROXY=localhost:9002" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH_PASS=pass" >> "$GITHUB_ENV" - name: Ensure the HTTPS test instance on Render is spun up run: curl -s -I https://requests-test-server.onrender.com/ > /dev/null diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9560542a4..52dcb339f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -91,7 +91,7 @@ jobs: - name: Start test server run: | PORT=8080 vendor/bin/start.sh - echo "REQUESTS_TEST_HOST_HTTP=localhost:8080" >> $GITHUB_ENV + echo "REQUESTS_TEST_HOST_HTTP=localhost:8080" >> "$GITHUB_ENV" - name: Ping localhost domain run: ping -c1 localhost @@ -100,10 +100,10 @@ jobs: run: | PORT=9002 tests/utils/proxy/start.sh PORT=9003 AUTH="test:pass" tests/utils/proxy/start.sh - echo "REQUESTS_HTTP_PROXY=localhost:9002" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> $GITHUB_ENV - echo "REQUESTS_HTTP_PROXY_AUTH_PASS=pass" >> $GITHUB_ENV + echo "REQUESTS_HTTP_PROXY=localhost:9002" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> "$GITHUB_ENV" + echo "REQUESTS_HTTP_PROXY_AUTH_PASS=pass" >> "$GITHUB_ENV" - name: Ensure the HTTPS test instance on Render is spun up run: curl -s -I https://requests-test-server.onrender.com/ > /dev/null diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index d7f1c85f0..6a8b37848 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -40,18 +40,18 @@ jobs: PR_NUM: ${{ github.event.pull_request.number }} run: | if [[ "${{ github.event_name }}" == 'schedule' ]]; then - echo "BASE=develop" >> $GITHUB_OUTPUT - echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT + echo "BASE=develop" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" elif [[ "${{ github.event_name }}" == 'push' ]]; then # Pull requests should always go to develop, even when triggered via a push to stable. - echo "BASE=develop" >> $GITHUB_OUTPUT - echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT + echo "BASE=develop" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR. - echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT - echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> $GITHUB_OUTPUT + echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> "$GITHUB_OUTPUT" else # = manual run. - echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT - echo "PR_BRANCH=feature/auto-update-cacert-misc" >> $GITHUB_OUTPUT + echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert-misc" >> "$GITHUB_OUTPUT" fi - name: Checkout code @@ -83,7 +83,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get date" id: get-date - run: echo "DATE=$(/bin/date -u "+%F")" >> $GITHUB_OUTPUT + run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT" - name: Create pull request uses: peter-evans/create-pull-request@v7 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index a07f445e7..0f54e3106 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -43,9 +43,9 @@ jobs: REF: ${{ github.ref }} run: | if [ "${{ github.event_name }}" == "pull_request" ]; then - echo "BRANCH=$REF" >> $GITHUB_OUTPUT + echo "BRANCH=$REF" >> "$GITHUB_OUTPUT" else - echo 'BRANCH=stable' >> $GITHUB_OUTPUT + echo 'BRANCH=stable' >> "$GITHUB_OUTPUT" fi - name: Checkout code @@ -99,15 +99,15 @@ jobs: TAG_NAME: ${{ github.event.release.tag_name }} run: | if [ "${{ github.event_name }}" == "pull_request" ]; then - echo "REF=$REF_NAME" >> $GITHUB_OUTPUT - echo 'PR_TITLE_PREFIX=[TEST | DO NOT MERGE] ' >> $GITHUB_OUTPUT - echo 'PR_BODY=Test run for the website update after changes to the automated scripts.' >> $GITHUB_OUTPUT - echo 'DRAFT=always-true' >> $GITHUB_OUTPUT + echo "REF=$REF_NAME" >> "$GITHUB_OUTPUT" + echo 'PR_TITLE_PREFIX=[TEST | DO NOT MERGE] ' >> "$GITHUB_OUTPUT" + echo 'PR_BODY=Test run for the website update after changes to the automated scripts.' >> "$GITHUB_OUTPUT" + echo 'DRAFT=always-true' >> "$GITHUB_OUTPUT" else - echo "REF=$TAG_NAME" >> $GITHUB_OUTPUT - echo 'PR_TITLE_PREFIX=' >> $GITHUB_OUTPUT - echo "PR_BODY=Website update after the release of Requests $TAG_NAME." >> $GITHUB_OUTPUT - echo 'DRAFT=false' >> $GITHUB_OUTPUT + echo "REF=$TAG_NAME" >> "$GITHUB_OUTPUT" + echo 'PR_TITLE_PREFIX=' >> "$GITHUB_OUTPUT" + echo "PR_BODY=Website update after the release of Requests $TAG_NAME." >> "$GITHUB_OUTPUT" + echo 'DRAFT=false' >> "$GITHUB_OUTPUT" fi - name: Checkout code From e72f33662a49925743c25e731c0f1c63cd25ab20 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Tue, 11 Feb 2025 11:27:36 +0100 Subject: [PATCH 03/34] Move shell scripts into dedicated directory ... in anticipation of PRs 924 and 916. --- .github/workflows/quicktest.yml | 8 ++++---- .github/workflows/test.yml | 8 ++++---- .gitignore | 4 ++-- {tests/utils => scripts}/proxy/proxy.py | 0 {tests/utils => scripts}/proxy/start.sh | 0 {tests/utils => scripts}/proxy/stop.sh | 0 6 files changed, 10 insertions(+), 10 deletions(-) rename {tests/utils => scripts}/proxy/proxy.py (100%) rename {tests/utils => scripts}/proxy/start.sh (100%) rename {tests/utils => scripts}/proxy/stop.sh (100%) diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 3689feab5..55ee037a4 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -71,8 +71,8 @@ jobs: - name: Start proxy server run: | - PORT=9002 tests/utils/proxy/start.sh - PORT=9003 AUTH="test:pass" tests/utils/proxy/start.sh + PORT=9002 scripts/proxy/start.sh + PORT=9003 AUTH="test:pass" scripts/proxy/start.sh echo "REQUESTS_HTTP_PROXY=localhost:9002" >> "$GITHUB_ENV" echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> "$GITHUB_ENV" echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> "$GITHUB_ENV" @@ -96,8 +96,8 @@ jobs: - name: Stop proxy server continue-on-error: true run: | - PORT=9002 tests/utils/proxy/stop.sh - PORT=9003 tests/utils/proxy/stop.sh + PORT=9002 scripts/stop.sh + PORT=9003 scripts/stop.sh - name: Stop test server continue-on-error: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 52dcb339f..b6069f1a0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -98,8 +98,8 @@ jobs: - name: Start proxy server run: | - PORT=9002 tests/utils/proxy/start.sh - PORT=9003 AUTH="test:pass" tests/utils/proxy/start.sh + PORT=9002 scripts/proxy/start.sh + PORT=9003 AUTH="test:pass" scripts/proxy/start.sh echo "REQUESTS_HTTP_PROXY=localhost:9002" >> "$GITHUB_ENV" echo "REQUESTS_HTTP_PROXY_AUTH=localhost:9003" >> "$GITHUB_ENV" echo "REQUESTS_HTTP_PROXY_AUTH_USER=test" >> "$GITHUB_ENV" @@ -128,8 +128,8 @@ jobs: - name: Stop proxy server continue-on-error: true run: | - PORT=9002 tests/utils/proxy/stop.sh - PORT=9003 tests/utils/proxy/stop.sh + PORT=9002 scripts/proxy/stop.sh + PORT=9003 scripts/proxy/stop.sh - name: Stop test server continue-on-error: true diff --git a/.gitignore b/.gitignore index 987b3c672..29a49662f 100644 --- a/.gitignore +++ b/.gitignore @@ -23,5 +23,5 @@ build/ghpages/artifacts certificates/etag-*.txt # Ignore temporary files generated by the testing proxy. -tests/utils/proxy/__pycache__ -tests/utils/proxy/*.pid +scripts/proxy/__pycache__ +scripts/proxy/*.pid diff --git a/tests/utils/proxy/proxy.py b/scripts/proxy/proxy.py similarity index 100% rename from tests/utils/proxy/proxy.py rename to scripts/proxy/proxy.py diff --git a/tests/utils/proxy/start.sh b/scripts/proxy/start.sh similarity index 100% rename from tests/utils/proxy/start.sh rename to scripts/proxy/start.sh diff --git a/tests/utils/proxy/stop.sh b/scripts/proxy/stop.sh similarity index 100% rename from tests/utils/proxy/stop.sh rename to scripts/proxy/stop.sh From 11880e0ea8c9bf0a6b692a2826aebf46c116ec6c Mon Sep 17 00:00:00 2001 From: jrfnl Date: Mon, 4 Aug 2025 18:13:12 +0200 Subject: [PATCH 04/34] GH Actions: improve "don't run on forks" condition Remove the condition containing a hard-coded repository name in favour of a more generic condition which should safeguard that the cron job doesn't run on forks just the same. --- .github/workflows/update-cacert.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index 6a8b37848..8cbbb3edb 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -29,7 +29,7 @@ jobs: certificate-check: name: "Check for updated certificate bundle" # Don't run the cron job on forks. - if: ${{ github.event_name != 'schedule' || github.repository == 'WordPress/Requests' }} + if: ${{ github.event_name != 'schedule' || github.event.repository.fork == false }} runs-on: ubuntu-latest steps: From fb7f63ca48c2c486a258c2ddced12b02dccb38e3 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Mon, 4 Aug 2025 23:33:49 +0200 Subject: [PATCH 05/34] README: add license badge ... to make it more straight-forward to see under what license the software is distributed. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 756bc5321..d1c0f5a7e 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Requests for PHP [![Lint](https://github.com/WordPress/Requests/actions/workflows/lint.yml/badge.svg)](https://github.com/WordPress/Requests/actions/workflows/lint.yml) [![Test](https://github.com/WordPress/Requests/actions/workflows/test.yml/badge.svg)](https://github.com/WordPress/Requests/actions/workflows/test.yml) [![codecov.io](https://codecov.io/gh/WordPress/Requests/branch/stable/graph/badge.svg?token=AfpxK7WMxj&branch=stable)](https://codecov.io/gh/WordPress/Requests?branch=stable) +[![Packagist License](https://img.shields.io/packagist/l/rmccue/requests)](https://github.com/WordPress/Requests/blob/stable/LICENSE) Requests is a HTTP library written in PHP, for human beings. It is roughly based on the API from the excellent [Requests Python From b99bf08b539b9efedc638226a81aeed1c350f319 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sun, 10 Aug 2025 04:13:12 +0200 Subject: [PATCH 06/34] GH Actions: update PHP ini configuration Add `display_startup_errors=On` as per the current recommendation from PHPUnit. Ref: https://github.com/sebastianbergmann/phpunit-documentation-english/commit/b3b159cbe9bd7eb5656dd381fc6f028549601dce --- .github/workflows/lint.yml | 2 +- .github/workflows/quicktest.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/update-website.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 87ca6cf2d..b10c29375 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -33,7 +33,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} - ini-values: error_reporting=-1, display_errors=On, log_errors_max_len=0 + ini-values: error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 coverage: none tools: cs2pr diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 55ee037a4..636341ddc 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -33,7 +33,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} - ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, log_errors_max_len=0 + ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 coverage: none # At least one test needs a non-en_US locale to be available, so make sure it is. diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b6069f1a0..099eaaed0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -44,7 +44,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} - ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, log_errors_max_len=0 + ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 coverage: ${{ matrix.coverage && 'xdebug' || 'none' }} tools: cs2pr diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 0f54e3106..b83144099 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -57,7 +57,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: '8.1' - ini-values: display_errors=On + ini-values: display_errors=On, display_startup_errors=On coverage: none tools: phpdoc From deb33236f5ba6480ad6bfa70473f6f13578be834 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sun, 10 Aug 2025 05:49:21 +0200 Subject: [PATCH 07/34] PHP 8.5 | Tests: prevent deprecation notice for Reflection*::setAccessible() Since PHP 8.1, calling the `Reflection*::setAccessible()` methods is no longer necessary as reflected properties/methods/etc will always be accessible. However, the method calls are still needed for PHP < 8.1. As of PHP 8.5, calling the `Reflection*::setAccessible()` methods is now formally deprecated and will yield a deprecation notice, which will fail test runs. As of PHP 9.0, the `setAccessible()` method(s) will be removed. With the latter in mind, this commit prevents the deprecation notice by making the calls to `setAccessible()` conditional. Silencing the deprecation would mean, this would need to be "fixed" again come PHP 9.0, while the current solution should be stable, including for PHP 9.0. Ref: https://wiki.php.net/rfc/deprecations_php_8_5#extreflection_deprecations --- tests/RequestsTest.php | 4 ++-- tests/Utility/FilteredIteratorTest.php | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/RequestsTest.php b/tests/RequestsTest.php index 773aab974..6005e32ce 100644 --- a/tests/RequestsTest.php +++ b/tests/RequestsTest.php @@ -336,13 +336,13 @@ public function testHasCapabilitiesSucceedsForDetectingSsl() { */ public function testHasCapabilitiesFailsForUnsupportedCapabilities() { $transports = new ReflectionProperty(Requests::class, 'transports'); - $transports->setAccessible(true); + (\PHP_VERSION_ID < 80100) && $transports->setAccessible(true); $transports->setValue(null, [TestTransportMock::class]); $result = Requests::has_capabilities(['time-travel' => true]); $transports->setValue(null, []); - $transports->setAccessible(false); + (\PHP_VERSION_ID < 80100) && $transports->setAccessible(false); $this->assertFalse($result); } diff --git a/tests/Utility/FilteredIteratorTest.php b/tests/Utility/FilteredIteratorTest.php index c5f44de24..ee0d67482 100644 --- a/tests/Utility/FilteredIteratorTest.php +++ b/tests/Utility/FilteredIteratorTest.php @@ -37,7 +37,7 @@ public function testDeserializeRequestUtilityFilteredIteratorObjects($value) { $new_value = unserialize($serialized); $reflection = new ReflectionClass(FilteredIterator::class); $property = $reflection->getProperty('callback'); - $property->setAccessible(true); + (\PHP_VERSION_ID < 80100) && $property->setAccessible(true); $callback_value = $property->getValue($new_value); $this->assertNull($callback_value, 'Callback is not null'); } else { @@ -145,9 +145,9 @@ public function testConstructorValidCallback($input) { $reflection = new ReflectionObject($obj); $property = $reflection->getProperty('callback'); - $property->setAccessible(true); + (\PHP_VERSION_ID < 80100) && $property->setAccessible(true); $callback_value = $property->getValue($obj); - $property->setAccessible(false); + (\PHP_VERSION_ID < 80100) && $property->setAccessible(false); $this->assertSame($input, $callback_value, 'Callback property has not been set'); } @@ -180,9 +180,9 @@ public function testConstructorInvalidCallback($input) { $reflection = new ReflectionObject($obj); $property = $reflection->getProperty('callback'); - $property->setAccessible(true); + (\PHP_VERSION_ID < 80100) && $property->setAccessible(true); $callback_value = $property->getValue($obj); - $property->setAccessible(false); + (\PHP_VERSION_ID < 80100) && $property->setAccessible(false); $this->assertNull($callback_value, 'Callback property has been set to invalid callback'); } From 70215bbeacbba221eb52fe2c8ccc68c8e34a845e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 12:52:42 +0000 Subject: [PATCH 08/34] GH Actions: Bump actions/download-artifact from 4 to 5 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-website.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index b83144099..d8134bc8f 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -116,7 +116,7 @@ jobs: ref: gh-pages - name: Download the prepared artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: website-updates path: artifacts From b4f7881c88b666ad8e9cc10746ad27d07bfec2b4 Mon Sep 17 00:00:00 2001 From: Prashant Baldha Date: Fri, 22 Aug 2025 13:41:11 +0530 Subject: [PATCH 09/34] Corrected URL of the Request Python library URL in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d1c0f5a7e..70d06617e 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Requests for PHP Requests is a HTTP library written in PHP, for human beings. It is roughly based on the API from the excellent [Requests Python -library](http://python-requests.org/). Requests is [ISC +library](https://requests.readthedocs.io/en/latest/). Requests is [ISC Licensed](https://github.com/WordPress/Requests/blob/stable/LICENSE) (similar to the new BSD license) and has no dependencies, except for PHP 5.6+. From 23099fd66621d92b58ee800e08e3a2c29b91e709 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Aug 2025 16:47:13 +0000 Subject: [PATCH 10/34] GH Actions: Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/cs.yml | 4 ++-- .github/workflows/lint.yml | 2 +- .github/workflows/quicktest.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/update-cacert.yml | 2 +- .github/workflows/update-website.yml | 6 +++--- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 79c892e10..7eb6924ef 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Add problem matcher if: ${{ github.event_name == 'pull_request' }} @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install PHP uses: shivammathur/setup-php@v2 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b10c29375..8ebe81897 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install PHP uses: shivammathur/setup-php@v2 diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 636341ddc..3a8dd4293 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install PHP uses: shivammathur/setup-php@v2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 099eaaed0..1c8049f60 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install PHP uses: shivammathur/setup-php@v2 diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index 8cbbb3edb..bfdd93e61 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -55,7 +55,7 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Restore etags cache for certificate files uses: actions/cache@v4 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index d8134bc8f..28c48d323 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -49,7 +49,7 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: ${{ steps.base_branch.outputs.BRANCH }} @@ -111,7 +111,7 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: gh-pages @@ -184,7 +184,7 @@ jobs: # Test that the site builds correctly. - name: Checkout the newly created branch - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: feature/auto-ghpages-update-${{ steps.get_pr_info.outputs.REF }} From f1128a11a628fb19eb8f0da71dff10ee81e70fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20B=C3=A4thge?= Date: Mon, 1 Sep 2025 16:44:17 +0200 Subject: [PATCH 11/34] PHP 8.5: Prevent deprecation notices for `curl_close` `curl_close` is deprecated in PHP 8.5+, and hasn't been doing anything since PHP 8.0, when handles were switched from `resource` to `object`. To prevent deprecation warnings it should therefore be called on older versions of PHP only, where handles are `resource`s. See https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_no-op_functions_from_the_resource_to_object_conversion. --- src/Transport/Curl.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Transport/Curl.php b/src/Transport/Curl.php index 7316987b5..e5e6107e1 100644 --- a/src/Transport/Curl.php +++ b/src/Transport/Curl.php @@ -306,7 +306,9 @@ public function request_multiple($requests, $options) { } curl_multi_remove_handle($multihandle, $done['handle']); - curl_close($done['handle']); + if (is_resource($done['handle'])) { + curl_close($done['handle']); + } if (!is_string($responses[$key])) { $options['hooks']->dispatch('multiple.request.complete', [&$responses[$key], $key]); From a48a5228ab4a160903640323a4c68367ad7fbbfd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 08:14:37 +0000 Subject: [PATCH 12/34] GH Actions: Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/quicktest.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 3a8dd4293..1d1fb3ec6 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -51,7 +51,7 @@ jobs: uses: "ramsey/composer-install@v3" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.13' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1c8049f60..29eaccbca 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -78,7 +78,7 @@ jobs: run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.13' From db59c3892feb89d24f6f3307fe6e86c72f331abb Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 20 Sep 2025 06:44:52 +0200 Subject: [PATCH 13/34] Composer: update PHPUnit Polyfills ... to a PHP 8.5 compatible version. Ref: https://github.com/Yoast/PHPUnit-Polyfills/releases/tag/2.0.5 --- **Mind**: this will need to be included in any further 2.0.x releases, but when backporting, the version needed should be `^1.1.5`. --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 2e1410a98..baba09b4a 100644 --- a/composer.json +++ b/composer.json @@ -53,7 +53,7 @@ "dealerdirect/phpcodesniffer-composer-installer": "^0.7", "php-parallel-lint/php-parallel-lint": "^1.3.1", "php-parallel-lint/php-console-highlighter": "^0.5.0", - "yoast/phpunit-polyfills": "^1.0.0", + "yoast/phpunit-polyfills": "^1.1.5", "roave/security-advisories": "dev-latest" }, "suggest": { From 5bb0c3812cb4ccf52bb811a330c36712f96b086e Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 20 Sep 2025 06:38:27 +0200 Subject: [PATCH 14/34] PHP 8.5 | Iri: fix two "Using null as an array offset" deprecation notices Fixes deprecation notices which occur if `$this->scheme` is `null`. Fixed now via some extra defensive coding. This change is already covered via the existing tests. Ref: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_using_values_null_as_an_array_offset_and_when_calling_array_key_exists --- src/Iri.php | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/src/Iri.php b/src/Iri.php index c452c7365..19e0606e5 100644 --- a/src/Iri.php +++ b/src/Iri.php @@ -214,7 +214,7 @@ public function __get($name) { $return = null; } - if ($return === null && isset($this->normalization[$this->scheme][$name])) { + if ($return === null && isset($this->scheme, $this->normalization[$this->scheme][$name])) { return $this->normalization[$this->scheme][$name]; } else { @@ -669,27 +669,29 @@ protected function remove_iunreserved_percent_encoded($regex_match) { } protected function scheme_normalization() { - if (isset($this->normalization[$this->scheme]['iuserinfo']) && $this->iuserinfo === $this->normalization[$this->scheme]['iuserinfo']) { - $this->iuserinfo = null; - } - if (isset($this->normalization[$this->scheme]['ihost']) && $this->ihost === $this->normalization[$this->scheme]['ihost']) { - $this->ihost = null; - } - if (isset($this->normalization[$this->scheme]['port']) && $this->port === $this->normalization[$this->scheme]['port']) { - $this->port = null; - } - if (isset($this->normalization[$this->scheme]['ipath']) && $this->ipath === $this->normalization[$this->scheme]['ipath']) { - $this->ipath = ''; + if (isset($this->scheme, $this->normalization[$this->scheme])) { + if (isset($this->normalization[$this->scheme]['iuserinfo']) && $this->iuserinfo === $this->normalization[$this->scheme]['iuserinfo']) { + $this->iuserinfo = null; + } + if (isset($this->normalization[$this->scheme]['ihost']) && $this->ihost === $this->normalization[$this->scheme]['ihost']) { + $this->ihost = null; + } + if (isset($this->normalization[$this->scheme]['port']) && $this->port === $this->normalization[$this->scheme]['port']) { + $this->port = null; + } + if (isset($this->normalization[$this->scheme]['ipath']) && $this->ipath === $this->normalization[$this->scheme]['ipath']) { + $this->ipath = ''; + } + if (isset($this->normalization[$this->scheme]['iquery']) && $this->iquery === $this->normalization[$this->scheme]['iquery']) { + $this->iquery = null; + } + if (isset($this->normalization[$this->scheme]['ifragment']) && $this->ifragment === $this->normalization[$this->scheme]['ifragment']) { + $this->ifragment = null; + } } if (isset($this->ihost) && empty($this->ipath)) { $this->ipath = '/'; } - if (isset($this->normalization[$this->scheme]['iquery']) && $this->iquery === $this->normalization[$this->scheme]['iquery']) { - $this->iquery = null; - } - if (isset($this->normalization[$this->scheme]['ifragment']) && $this->ifragment === $this->normalization[$this->scheme]['ifragment']) { - $this->ifragment = null; - } } /** From 5e64a5e48db62c325b255f030a9d46cd8c1b479a Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 20 Sep 2025 06:48:26 +0200 Subject: [PATCH 15/34] PHP 8.5 | Response/Headers: fix a "Using null as an array offset" deprecation notice Fixes deprecation notices which occur if `$offset` is `null`. Fixed now via some extra defensive coding. This change is already covered via the existing tests. Ref: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_using_values_null_as_an_array_offset_and_when_calling_array_key_exists --- src/Response/Headers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Response/Headers.php b/src/Response/Headers.php index b4d0fcf91..c931320ee 100644 --- a/src/Response/Headers.php +++ b/src/Response/Headers.php @@ -35,7 +35,7 @@ public function offsetGet($offset) { $offset = strtolower($offset); } - if (!isset($this->data[$offset])) { + if (!isset($offset, $this->data[$offset])) { return null; } From 3a9aeaf05d6b887a1d48d322dc1084f148d3b1d8 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 20 Sep 2025 06:52:45 +0200 Subject: [PATCH 16/34] PHP 8.5 | Utility/CaseInsensitiveDictionary: fix another set of "Using null as an array offset" deprecation notices Fixes deprecation notices which occur if `$offset` is `null`. Fixed now via some extra defensive coding. This change is already covered via the existing tests. Ref: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_using_values_null_as_an_array_offset_and_when_calling_array_key_exists --- src/Utility/CaseInsensitiveDictionary.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/Utility/CaseInsensitiveDictionary.php b/src/Utility/CaseInsensitiveDictionary.php index 0e1a914cd..0104a2e4a 100644 --- a/src/Utility/CaseInsensitiveDictionary.php +++ b/src/Utility/CaseInsensitiveDictionary.php @@ -49,6 +49,10 @@ public function offsetExists($offset) { $offset = strtolower($offset); } + if ($offset === null) { + $offset = ''; + } + return isset($this->data[$offset]); } @@ -64,6 +68,10 @@ public function offsetGet($offset) { $offset = strtolower($offset); } + if ($offset === null) { + $offset = ''; + } + if (!isset($this->data[$offset])) { return null; } @@ -89,6 +97,10 @@ public function offsetSet($offset, $value) { $offset = strtolower($offset); } + if ($offset === null) { + $offset = ''; + } + $this->data[$offset] = $value; } @@ -103,6 +115,10 @@ public function offsetUnset($offset) { $offset = strtolower($offset); } + if ($offset === null) { + $offset = ''; + } + unset($this->data[$offset]); } From d34377077737e2007e9e4a655e1365174eb24b1c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 4 Nov 2025 04:28:51 +0000 Subject: [PATCH 17/34] :lock_with_ink_pen: Update certificate bundle --- certificates/cacert.pem | 382 ++++++++++++++++----------------- certificates/cacert.pem.sha256 | 2 +- 2 files changed, 187 insertions(+), 197 deletions(-) diff --git a/certificates/cacert.pem b/certificates/cacert.pem index e8cc6c1c0..5d325ac6f 100644 --- a/certificates/cacert.pem +++ b/certificates/cacert.pem @@ -1,14 +1,14 @@ ## ## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: Tue Dec 31 04:12:05 2024 GMT +## Certificate data from Mozilla as of: Tue Nov 4 04:12:02 2025 GMT ## ## Find updated versions here: https://curl.se/docs/caextract.html ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates ## file (certdata.txt). This file can be found in the mozilla source tree: -## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt +## https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt ## ## It contains the certificates in PEM format and therefore ## can be directly used with curl / libcurl / php_curl, or with @@ -16,76 +16,10 @@ ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.29. -## SHA256: c99d6d3f8d3d4e47719ba2b648992f5b58b150128d3aca3c05c566d8dc98e116 +## SHA256: 039132bff5179ce57cec5803ba59fe37abe6d0297aeb538c5af27847f0702517 ## -GlobalSign Root CA -================== ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx -GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds -b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV -BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD -VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa -DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc -THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb -Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP -c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX -gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF -AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj -Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG -j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH -hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC -X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== ------END CERTIFICATE----- - -Entrust.net Premium 2048 Secure Server CA -========================================= ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u -ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp -bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV -BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx -NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3 -d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl -MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u -ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL -Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr -hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW -nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi -VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E -BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ -KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy -T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf -zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT -J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e -nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= ------END CERTIFICATE----- - -Baltimore CyberTrust Root -========================= ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJRTESMBAGA1UE -ChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3li -ZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoXDTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMC -SUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFs -dGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKME -uyKrmD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsB -UnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/C -G9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9 -XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjpr -l3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoI -VDaGezq1BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB -BQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT929hkTI7gQCvlYpNRh -cL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3WgxjkzSswF07r51XgdIGn9w/xZchMB5 -hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsa -Y71k5h+3zvDyny67G7fyUIhzksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9H -RCwBXbsdtTLSR9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp ------END CERTIFICATE----- - Entrust Root Certification Authority ==================================== -----BEGIN CERTIFICATE----- @@ -112,30 +46,6 @@ W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0 tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8 -----END CERTIFICATE----- -Comodo AAA Services root -======================== ------BEGIN CERTIFICATE----- -MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS -R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0Eg -TGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw -MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hl -c3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV -BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhG -C1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUs -i14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszW -Y19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjH -Ypy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEK -Iz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f -BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl -cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2Vz -LmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm -7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz -Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z -8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C -12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== ------END CERTIFICATE----- - QuoVadis Root CA 2 ================== -----BEGIN CERTIFICATE----- @@ -202,78 +112,6 @@ vGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeTmJlglFwjz1onl14LBQaTNx47aTbr qZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK4SVhM7JZG+Ju1zdXtg2pEto= -----END CERTIFICATE----- -XRamp Global CA Root -==================== ------BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE -BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj -dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx -HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg -U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu -IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx -foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE -zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs -AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry -xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud -EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap -oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC -AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc -/Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt -qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n -nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz -8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbw= ------END CERTIFICATE----- - -Go Daddy Class 2 CA -=================== ------BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMY -VGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRp -ZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkG -A1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g -RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQAD -ggENADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv -2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+qN1j3hybX2C32 -qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6j -YGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmY -vLEHZ6IVDd2gWMZEewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0O -BBYEFNLEsNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h/t2o -atTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMu -MTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wim -PQoZ+YeAEW5p5JYXMP80kWNyOO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKt -I3lpjbi2Tc7PTMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ -HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VI -Ls9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/b -vZ8= ------END CERTIFICATE----- - -Starfield Class 2 CA -==================== ------BEGIN CERTIFICATE----- -MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMc -U3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBo -MQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAG -A1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqG -SIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTY -bitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZ -JRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVm -epsZGD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN -F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HF -MIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fRzt0f -hvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNo -bm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24g -QXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGs -afPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLM -PUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl -xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynpVSJYACPq4xJD -KVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3 -QBFGmh95DmK/D5fs4C8fF5Q= ------END CERTIFICATE----- - DigiCert Assured ID Root CA =========================== -----BEGIN CERTIFICATE----- @@ -371,37 +209,6 @@ NU0LbbqhPcCT4H8js1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6Lqj viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ -----END CERTIFICATE----- -SwissSign Silver CA - G2 -======================== ------BEGIN CERTIFICATE----- -MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTAT -BgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4X -DTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3 -aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG -9w0BAQEFAAOCAg8AMIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644 -N0MvFz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm -+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH -6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2Uu -MGoM9ZDulebyzYLs2aFK7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5h -qAaEuSh6XzjZG6k4sIN/c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5 -FZGkECwJMoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBs -ROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmc -celM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3X -CO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRB -tjpbO8tFnb0cwpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 -cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P -4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39F -kWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L -3XWgwF15kIwb4FDm3jH+mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx -/uNncqCxv1yL5PqZIseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFa -DGi8aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqP -e97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+Ssuu -WxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJ -DIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ub -DgEj8Z+7fNzcbBGXJbLytGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u ------END CERTIFICATE----- - SecureTrust CA ============== -----BEGIN CERTIFICATE----- @@ -3609,3 +3416,186 @@ AgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT9DAKBggqhkjOPQQDAwNoADBlAjEA2S6J fl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJ SwdLZrWeqrqgHkHZAXQ6bkU6iYAZezKYVWOr62Nuk22rGwlgMU4= -----END CERTIFICATE----- + +D-TRUST BR Root CA 2 2023 +========================= +-----BEGIN CERTIFICATE----- +MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQG +EwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEJSIFJvb3QgQ0Eg +MiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUwOTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTAT +BgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCT +cfKri3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNEgXtRr90z +sWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8k12b9py0i4a6Ibn08OhZ +WiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCTRphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6 +++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LUL +QyReS2tNZ9/WtT5PeB+UcSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIv +x9gvdhFP/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bSuREV +MweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+0bpwHJwh5Q8xaRfX +/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4NDfTisl01gLmB1IRpkQLLddCNxbU9 +CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUZ5Dw1t61GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRC +MEAwPqA8oDqGOGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y +XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tIFoE9c+CeJyrr +d6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67nriv6uvw8l5VAk1/DLQOj7aRv +U9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTRVFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4 +nj8+AybmTNudX0KEPUUDAxxZiMrcLmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdij +YQ6qgYF/6FKC0ULn4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff +/vtDhQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsGkoHU6XCP +pz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46ls/pdu4D58JDUjxqgejB +WoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aSEcr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/ +5usWDiJFAbzdNpQ0qTUmiteXue4Icr80knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jt +n/mtd+ArY0+ew+43u3gJhJ65bvspmZDogNOfJA== +-----END CERTIFICATE----- + +TrustAsia TLS ECC Root CA +========================= +-----BEGIN CERTIFICATE----- +MIICMTCCAbegAwIBAgIUNnThTXxlE8msg1UloD5Sfi9QaMcwCgYIKoZIzj0EAwMwWDELMAkGA1UE +BhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMsIEluYy4xIjAgBgNVBAMTGVRy +dXN0QXNpYSBUTFMgRUNDIFJvb3QgQ0EwHhcNMjQwNTE1MDU0MTU2WhcNNDQwNTE1MDU0MTU1WjBY +MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAG +A1UEAxMZVHJ1c3RBc2lhIFRMUyBFQ0MgUm9vdCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLh/ +pVs/AT598IhtrimY4ZtcU5nb9wj/1WrgjstEpvDBjL1P1M7UiFPoXlfXTr4sP/MSpwDpguMqWzJ8 +S5sUKZ74LYO1644xST0mYekdcouJtgq7nDM1D9rs3qlKH8kzsaNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQULIVTu7FDzTLqnqOH/qKYqKaT6RAwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49 +BAMDA2gAMGUCMFRH18MtYYZI9HlaVQ01L18N9mdsd0AaRuf4aFtOJx24mH1/k78ITcTaRTChD15K +eAIxAKORh/IRM4PDwYqROkwrULG9IpRdNYlzg8WbGf60oenUoWa2AaU2+dhoYSi3dOGiMQ== +-----END CERTIFICATE----- + +TrustAsia TLS RSA Root CA +========================= +-----BEGIN CERTIFICATE----- +MIIFgDCCA2igAwIBAgIUHBjYz+VTPyI1RlNUJDxsR9FcSpwwDQYJKoZIhvcNAQEMBQAwWDELMAkG +A1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMsIEluYy4xIjAgBgNVBAMT +GVRydXN0QXNpYSBUTFMgUlNBIFJvb3QgQ0EwHhcNMjQwNTE1MDU0MTU3WhcNNDQwNTE1MDU0MTU2 +WjBYMQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEi +MCAGA1UEAxMZVHJ1c3RBc2lhIFRMUyBSU0EgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAMMWuBtqpERz5dZO9LnPWwvB0ZqB9WOwj0PBuwhaGnrhB3YmH49pVr7+NmDQDIPN +lOrnxS1cLwUWAp4KqC/lYCZUlviYQB2srp10Zy9U+5RjmOMmSoPGlbYJQ1DNDX3eRA5gEk9bNb2/ +mThtfWza4mhzH/kxpRkQcwUqwzIZheo0qt1CHjCNP561HmHVb70AcnKtEj+qpklz8oYVlQwQX1Fk +zv93uMltrOXVmPGZLmzjyUT5tUMnCE32ft5EebuyjBza00tsLtbDeLdM1aTk2tyKjg7/D8OmYCYo +zza/+lcK7Fs/6TAWe8TbxNRkoDD75f0dcZLdKY9BWN4ArTr9PXwaqLEX8E40eFgl1oUh63kd0Nyr +z2I8sMeXi9bQn9P+PN7F4/w6g3CEIR0JwqH8uyghZVNgepBtljhb//HXeltt08lwSUq6HTrQUNoy +IBnkiz/r1RYmNzz7dZ6wB3C4FGB33PYPXFIKvF1tjVEK2sUYyJtt3LCDs3+jTnhMmCWr8n4uIF6C +FabW2I+s5c0yhsj55NqJ4js+k8UTav/H9xj8Z7XvGCxUq0DTbE3txci3OE9kxJRMT6DNrqXGJyV1 +J23G2pyOsAWZ1SgRxSHUuPzHlqtKZFlhaxP8S8ySpg+kUb8OWJDZgoM5pl+z+m6Ss80zDoWo8SnT +q1mt1tve1CuBAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLgHkXlcBvRG/XtZ +ylomkadFK/hTMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQwFAAOCAgEAIZtqBSBdGBanEqT3 +Rz/NyjuujsCCztxIJXgXbODgcMTWltnZ9r96nBO7U5WS/8+S4PPFJzVXqDuiGev4iqME3mmL5Dw8 +veWv0BIb5Ylrc5tvJQJLkIKvQMKtuppgJFqBTQUYo+IzeXoLH5Pt7DlK9RME7I10nYEKqG/odv6L +TytpEoYKNDbdgptvT+Bz3Ul/KD7JO6NXBNiT2Twp2xIQaOHEibgGIOcberyxk2GaGUARtWqFVwHx +tlotJnMnlvm5P1vQiJ3koP26TpUJg3933FEFlJ0gcXax7PqJtZwuhfG5WyRasQmr2soaB82G39tp +27RIGAAtvKLEiUUjpQ7hRGU+isFqMB3iYPg6qocJQrmBktwliJiJ8Xw18WLK7nn4GS/+X/jbh87q +qA8MpugLoDzga5SYnH+tBuYc6kIQX+ImFTw3OffXvO645e8D7r0i+yiGNFjEWn9hongPXvPKnbwb +PKfILfanIhHKA9jnZwqKDss1jjQ52MjqjZ9k4DewbNfFj8GQYSbbJIweSsCI3zWQzj8C9GRh3sfI +B5XeMhg6j6JCQCTl1jNdfK7vsU1P1FeQNWrcrgSXSYk0ly4wBOeY99sLAZDBHwo/+ML+TvrbmnNz +FrwFuHnYWa8G5z9nODmxfKuU4CkUpijy323imttUQ/hHWKNddBWcwauwxzQ= +-----END CERTIFICATE----- + +D-TRUST EV Root CA 2 2023 +========================= +-----BEGIN CERTIFICATE----- +MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQG +EwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0Eg +MiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUwOTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTAT +BgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1 +sJkKF8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE7CUXFId/ +MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFeEMbsh2aJgWi6zCudR3Mf +vc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6lHPTGGkKSv/BAQP/eX+1SH977ugpbzZM +lWGG2Pmic4ruri+W7mjNPU0oQvlFKzIbRlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3 +YG14C8qKXO0elg6DpkiVjTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq910 +7PncjLgcjmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZxTnXo +nMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+ARZZaBhDM7DS3LAa +QzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nkhbDhezGdpn9yo7nELC7MmVcOIQxF +AZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knFNXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUqvyREBuHkV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRC +MEAwPqA8oDqGOGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y +XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14QvBukEdHjqOS +Mo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4pZt+UPJ26oUFKidBK7GB0aL2 +QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xD +UmPBEcrCRbH0O1P1aa4846XerOhUt7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V +4U/M5d40VxDJI3IXcI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuo +dNv8ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT2vFp4LJi +TZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs7dpn1mKmS00PaaLJvOwi +S5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNPgofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/ +HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAstNl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L ++KIkBI3Y4WNeApI02phhXBxvWHZks/wCuPWdCg== +-----END CERTIFICATE----- + +SwissSign RSA TLS Root CA 2022 - 1 +================================== +-----BEGIN CERTIFICATE----- +MIIFkzCCA3ugAwIBAgIUQ/oMX04bgBhE79G0TzUfRPSA7cswDQYJKoZIhvcNAQELBQAwUTELMAkG +A1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UEAxMiU3dpc3NTaWduIFJTQSBU +TFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2MDgxMTA4MjJaFw00NzA2MDgxMTA4MjJaMFExCzAJ +BgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxKzApBgNVBAMTIlN3aXNzU2lnbiBSU0Eg +VExTIFJvb3QgQ0EgMjAyMiAtIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLKmji +C8NXvDVjvHClO/OMPE5Xlm7DTjak9gLKHqquuN6orx122ro10JFwB9+zBvKK8i5VUXu7LCTLf5Im +gKO0lPaCoaTo+nUdWfMHamFk4saMla+ju45vVs9xzF6BYQ1t8qsCLqSX5XH8irCRIFucdFJtrhUn +WXjyCcplDn/L9Ovn3KlMd/YrFgSVrpxxpT8q2kFC5zyEEPThPYxr4iuRR1VPuFa+Rd4iUU1OKNlf +GUEGjw5NBuBwQCMBauTLE5tzrE0USJIt/m2n+IdreXXhvhCxqohAWVTXz8TQm0SzOGlkjIHRI36q +OTw7D59Ke4LKa2/KIj4x0LDQKhySio/YGZxH5D4MucLNvkEM+KRHBdvBFzA4OmnczcNpI/2aDwLO +EGrOyvi5KaM2iYauC8BPY7kGWUleDsFpswrzd34unYyzJ5jSmY0lpx+Gs6ZUcDj8fV3oT4MM0ZPl +EuRU2j7yrTrePjxF8CgPBrnh25d7mUWe3f6VWQQvdT/TromZhqwUtKiE+shdOxtYk8EXlFXIC+OC +eYSf8wCENO7cMdWP8vpPlkwGqnj73mSiI80fPsWMvDdUDrtaclXvyFu1cvh43zcgTFeRc5JzrBh3 +Q4IgaezprClG5QtO+DdziZaKHG29777YtvTKwP1H8K4LWCDFyB02rpeNUIMmJCn3nTsPBQIDAQAB +o2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBRvjmKLk0Ow +4UD2p8P98Q+4DxU4pTAdBgNVHQ4EFgQUb45ii5NDsOFA9qfD/fEPuA8VOKUwDQYJKoZIhvcNAQEL +BQADggIBAKwsKUF9+lz1GpUYvyypiqkkVHX1uECry6gkUSsYP2OprphWKwVDIqO310aewCoSPY6W +lkDfDDOLazeROpW7OSltwAJsipQLBwJNGD77+3v1dj2b9l4wBlgzHqp41eZUBDqyggmNzhYzWUUo +8aWjlw5DI/0LIICQ/+Mmz7hkkeUFjxOgdg3XNwwQiJb0Pr6VvfHDffCjw3lHC1ySFWPtUnWK50Zp +y1FVCypM9fJkT6lc/2cyjlUtMoIcgC9qkfjLvH4YoiaoLqNTKIftV+Vlek4ASltOU8liNr3Cjlvr +zG4ngRhZi0Rjn9UMZfQpZX+RLOV/fuiJz48gy20HQhFRJjKKLjpHE7iNvUcNCfAWpO2Whi4Z2L6M +OuhFLhG6rlrnub+xzI/goP+4s9GFe3lmozm1O2bYQL7Pt2eLSMkZJVX8vY3PXtpOpvJpzv1/THfQ +wUY1mFwjmwJFQ5Ra3bxHrSL+ul4vkSkphnsh3m5kt8sNjzdbowhq6/TdAo9QAwKxuDdollDruF/U +KIqlIgyKhPBZLtU30WHlQnNYKoH3dtvi4k0NX/a3vgW0rk4N3hY9A4GzJl5LuEsAz/+MF7psYC0n +hzck5npgL7XTgwSqT0N1osGDsieYK7EOgLrAhV5Cud+xYJHT6xh+cHiudoO+cVrQkOPKwRYlZ0rw +tnu64ZzZ +-----END CERTIFICATE----- + +OISTE Server Root ECC G1 +======================== +-----BEGIN CERTIFICATE----- +MIICNTCCAbqgAwIBAgIQI/nD1jWvjyhLH/BU6n6XnTAKBggqhkjOPQQDAzBLMQswCQYDVQQGEwJD +SDEZMBcGA1UECgwQT0lTVEUgRm91bmRhdGlvbjEhMB8GA1UEAwwYT0lTVEUgU2VydmVyIFJvb3Qg +RUNDIEcxMB4XDTIzMDUzMTE0NDIyOFoXDTQ4MDUyNDE0NDIyN1owSzELMAkGA1UEBhMCQ0gxGTAX +BgNVBAoMEE9JU1RFIEZvdW5kYXRpb24xITAfBgNVBAMMGE9JU1RFIFNlcnZlciBSb290IEVDQyBH +MTB2MBAGByqGSM49AgEGBSuBBAAiA2IABBcv+hK8rBjzCvRE1nZCnrPoH7d5qVi2+GXROiFPqOuj +vqQycvO2Ackr/XeFblPdreqqLiWStukhEaivtUwL85Zgmjvn6hp4LrQ95SjeHIC6XG4N2xml4z+c +KrhAS93mT6NjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBQ3TYhlz/w9itWj8UnATgwQ +b0K0nDAdBgNVHQ4EFgQUN02IZc/8PYrVo/FJwE4MEG9CtJwwDgYDVR0PAQH/BAQDAgGGMAoGCCqG +SM49BAMDA2kAMGYCMQCpKjAd0MKfkFFRQD6VVCHNFmb3U2wIFjnQEnx/Yxvf4zgAOdktUyBFCxxg +ZzFDJe0CMQCSia7pXGKDYmH5LVerVrkR3SW+ak5KGoJr3M/TvEqzPNcum9v4KGm8ay3sMaE641c= +-----END CERTIFICATE----- + + OISTE Server Root RSA G1 +========================= +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIQVaXZZ5Qoxu0M+ifdWwFNGDANBgkqhkiG9w0BAQwFADBLMQswCQYDVQQG +EwJDSDEZMBcGA1UECgwQT0lTVEUgRm91bmRhdGlvbjEhMB8GA1UEAwwYT0lTVEUgU2VydmVyIFJv +b3QgUlNBIEcxMB4XDTIzMDUzMTE0MzcxNloXDTQ4MDUyNDE0MzcxNVowSzELMAkGA1UEBhMCQ0gx +GTAXBgNVBAoMEE9JU1RFIEZvdW5kYXRpb24xITAfBgNVBAMMGE9JU1RFIFNlcnZlciBSb290IFJT +QSBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKqu9KuCz/vlNwvn1ZatkOhLKdxV +YOPMvLO8LZK55KN68YG0nnJyQ98/qwsmtO57Gmn7KNByXEptaZnwYx4M0rH/1ow00O7brEi56rAU +jtgHqSSY3ekJvqgiG1k50SeH3BzN+Puz6+mTeO0Pzjd8JnduodgsIUzkik/HEzxux9UTl7Ko2yRp +g1bTacuCErudG/L4NPKYKyqOBGf244ehHa1uzjZ0Dl4zO8vbUZeUapU8zhhabkvG/AePLhq5Svdk +NCncpo1Q4Y2LS+VIG24ugBA/5J8bZT8RtOpXaZ+0AOuFJJkk9SGdl6r7NH8CaxWQrbueWhl/pIzY ++m0o/DjH40ytas7ZTpOSjswMZ78LS5bOZmdTaMsXEY5Z96ycG7mOaES3GK/m5Q9l3JUJsJMStR8+ +lKXHiHUhsd4JJCpM4rzsTGdHwimIuQq6+cF0zowYJmXa92/GjHtoXAvuY8BeS/FOzJ8vD+HomnqT +8eDI278n5mUpezbgMxVz8p1rhAhoKzYHKyfMeNhqhw5HdPSqoBNdZH702xSu+zrkL8Fl47l6QGzw +Brd7KJvX4V84c5Ss2XCTLdyEr0YconosP4EmQufU2MVshGYRi3drVByjtdgQ8K4p92cIiBdcuJd5 +z+orKu5YM+Vt6SmqZQENghPsJQtdLEByFSnTkCz3GkPVavBpAgMBAAGjYzBhMA8GA1UdEwEB/wQF +MAMBAf8wHwYDVR0jBBgwFoAU8snBDw1jALvsRQ5KH7WxszbNDo0wHQYDVR0OBBYEFPLJwQ8NYwC7 +7EUOSh+1sbM2zQ6NMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANGd5sjrG5T33 +I3K5Ce+SrScfoE4KsvXaFwyihdJ+klH9FWXXXGtkFu6KRcoMQzZENdl//nk6HOjG5D1rd9QhEOP2 +8yBOqb6J8xycqd+8MDoX0TJD0KqKchxRKEzdNsjkLWd9kYccnbz8qyiWXmFcuCIzGEgWUOrKL+ml +Sdx/PKQZvDatkuK59EvV6wit53j+F8Bdh3foZ3dPAGav9LEDOr4SfEE15fSmG0eLy3n31r8Xbk5l +8PjaV8GUgeV6Vg27Rn9vkf195hfkgSe7BYhW3SCl95gtkRlpMV+bMPKZrXJAlszYd2abtNUOshD+ +FKrDgHGdPY3ofRRsYWSGRqbXVMW215AWRqWFyp464+YTFrYVI8ypKVL9AMb2kI5Wj4kI3Zaq5tNq +qYY19tVFeEJKRvwDyF7YZvZFZSS0vod7VSCd9521Kvy5YhnLbDuv0204bKt7ph6N/Ome/msVuduC +msuY33OhkKCgxeDoAaijFJzIwZqsFVAzje18KotzlUBDJvyBpCpfOZC3J8tRd/iWkx7P8nd9H0aT +olkelUTFLXVksNb54Dxp6gS1HAviRkRNQzuXSXERvSS2wq1yVAb+axj5d9spLFKebXd7Yv0PTY6Y +MjAwcRLWJTXjn/hvnLXrahut6hDTlhZyBiElxky8j3C7DOReIoMt0r7+hVu05L0= +-----END CERTIFICATE----- diff --git a/certificates/cacert.pem.sha256 b/certificates/cacert.pem.sha256 index 28b6757c1..9810b6b26 100644 --- a/certificates/cacert.pem.sha256 +++ b/certificates/cacert.pem.sha256 @@ -1 +1 @@ -a3f328c21e39ddd1f2be1cea43ac0dec819eaa20a90425d7da901a11531b3aa5 cacert.pem +8ac40bdd3d3e151a6b4078d2b2029796e8f843e3f86fbf2adbc4dd9f05e79def cacert.pem From 79fdb01453b1384b2237485e908921c5bfaf89ff Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 13 Nov 2025 20:03:49 +0100 Subject: [PATCH 18/34] Composer: remove roave/security-advisories The `roave/security-advisories` package was an inventive method to block installation of known insecure versions of other dependencies (via a `conflict` annotation). As of Composer 2.9, using the `roave/security-advisories` package for this purpose is no longer needed as Composer will now natively block installation of known insecure versions of dependencies. And while not all contributors to this repo may be using Composer 2.9+ (yet), Composer 2.9+ **_will_** be used in CI and CI failing on Composer blocking an insecure dependency offers the same level of protection as the package previously offered. Refs: * https://blog.packagist.com/composer-2-9/ * https://github.com/composer/composer/releases/tag/2.9.0 --- composer.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/composer.json b/composer.json index baba09b4a..1750eb398 100644 --- a/composer.json +++ b/composer.json @@ -53,8 +53,7 @@ "dealerdirect/phpcodesniffer-composer-installer": "^0.7", "php-parallel-lint/php-parallel-lint": "^1.3.1", "php-parallel-lint/php-console-highlighter": "^0.5.0", - "yoast/phpunit-polyfills": "^1.1.5", - "roave/security-advisories": "dev-latest" + "yoast/phpunit-polyfills": "^1.1.5" }, "suggest": { "ext-curl": "For improved performance", From f60e4474d0042c4f54fbe8d233ca1d86db0034a1 Mon Sep 17 00:00:00 2001 From: Alain Schlesser Date: Thu, 20 Nov 2025 09:12:11 +0000 Subject: [PATCH 19/34] Fix tests for expired and revoked SSL certificates The tests for expired or revoked SSL certificates were failing for both Curl and FsockOpen because the test site we had been using has changed (https://testssl-expire.disig.sk/index.en.html). This commit switches the test site to use expired/revoked.badssl.com, which is more of an industry standard. The exception message to expect needed to be changed as well to make the expired test pass. The revoked test has been set to be skipped, as it turns out that revocation checking is disabled by default for PHP's cURL. See #966 --- tests/Transport/BaseTestCase.php | 6 ++++-- tests/Transport/CurlTest.php | 4 ++-- tests/Transport/FsockopenTest.php | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/Transport/BaseTestCase.php b/tests/Transport/BaseTestCase.php index acc2e6e72..00fd584bd 100644 --- a/tests/Transport/BaseTestCase.php +++ b/tests/Transport/BaseTestCase.php @@ -851,17 +851,19 @@ public function testExpiredHTTPS() { } $this->expectException(Exception::class); - Requests::get('https://testssl-expire.disig.sk/index.en.html', [], $this->getOptions()); + Requests::get('https://expired.badssl.com/', [], $this->getOptions()); } public function testRevokedHTTPS() { + $this->markTestSkipped('Certificate revocation checking is not enabled by default in PHP. See issue #966.'); + if ($this->skip_https) { $this->markTestSkipped('SSL support is not available.'); return; } $this->expectException(Exception::class); - Requests::get('https://testssl-revoked.disig.sk/index.en.html', [], $this->getOptions()); + Requests::get('https://revoked.badssl.com/', [], $this->getOptions()); } /** diff --git a/tests/Transport/CurlTest.php b/tests/Transport/CurlTest.php index a96401038..d7312ece8 100644 --- a/tests/Transport/CurlTest.php +++ b/tests/Transport/CurlTest.php @@ -18,13 +18,13 @@ public function testBadIP() { public function testExpiredHTTPS() { $this->expectException(Exception::class); - $this->expectExceptionMessage('certificate subject name'); + $this->expectExceptionMessage('certificate has expired'); parent::testExpiredHTTPS(); } public function testRevokedHTTPS() { $this->expectException(Exception::class); - $this->expectExceptionMessage('certificate subject name'); + $this->expectExceptionMessage('certificate has been revoked'); parent::testRevokedHTTPS(); } diff --git a/tests/Transport/FsockopenTest.php b/tests/Transport/FsockopenTest.php index 47173d188..c23564d2c 100644 --- a/tests/Transport/FsockopenTest.php +++ b/tests/Transport/FsockopenTest.php @@ -18,13 +18,13 @@ public function testBadIP() { public function testExpiredHTTPS() { $this->expectException(Exception::class); - $this->expectExceptionMessage('SSL certificate did not match the requested domain name'); + $this->expectExceptionMessage('certificate verify failed'); parent::testExpiredHTTPS(); } public function testRevokedHTTPS() { $this->expectException(Exception::class); - $this->expectExceptionMessage('SSL certificate did not match the requested domain name'); + $this->expectExceptionMessage('certificate verify failed'); parent::testRevokedHTTPS(); } From dbe8503c7abf086567d37ce569ec60ac21b85399 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 20 Nov 2025 10:52:40 +0100 Subject: [PATCH 20/34] PHP 8.5 | FilteredIterator: do not accept objects The tests for the `FilteredIterator::__construct()` method were failing on PHP 8.5 as we were explicitly testing the class for accepting objects. While this _is_ still supported on PHP 8.5, it is deprecated and results in the following deprecation notices: ``` 1) /home/runner/work/Requests/Requests/src/Utility/FilteredIterator.php:43 ArrayIterator::__construct(): Using an object as a backing array for ArrayIterator is deprecated, as it allows violating class constraints and invariants Triggered by: * WpOrg\Requests\Tests\Utility\FilteredIterator\ConstructorTest::testValidData#ArrayIterator object /home/runner/work/Requests/Requests/tests/Utility/FilteredIterator/ConstructorTest.php:26 * WpOrg\Requests\Tests\Utility\FilteredIterator\ConstructorTest::testValidData#Iterator object, no array access /home/runner/work/Requests/Requests/tests/Utility/FilteredIterator/ConstructorTest.php:26 ``` This commit now makes two changes: 1. Change the `FilteredIterator::__construct()` method to no longer accept objects as a backing array. 2. No longer pass objects to the method when testing. With that, these test failures on PHP 8.5 are fixed. --- src/Utility/FilteredIterator.php | 4 ++-- tests/Utility/FilteredIteratorTest.php | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/Utility/FilteredIterator.php b/src/Utility/FilteredIterator.php index 4865966c4..1039ec1e2 100644 --- a/src/Utility/FilteredIterator.php +++ b/src/Utility/FilteredIterator.php @@ -28,13 +28,13 @@ final class FilteredIterator extends ArrayIterator { /** * Create a new iterator * - * @param array $data The array or object to be iterated on. + * @param array $data The array to be iterated on. * @param callable $callback Callback to be called on each value * * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $data argument is not iterable. */ public function __construct($data, $callback) { - if (InputValidator::is_iterable($data) === false) { + if (is_object($data) === true || InputValidator::is_iterable($data) === false) { throw InvalidArgument::create(1, '$data', 'iterable', gettype($data)); } diff --git a/tests/Utility/FilteredIteratorTest.php b/tests/Utility/FilteredIteratorTest.php index ee0d67482..d1c732c8f 100644 --- a/tests/Utility/FilteredIteratorTest.php +++ b/tests/Utility/FilteredIteratorTest.php @@ -93,8 +93,7 @@ public function testConstructorValidData($input) { */ public function dataConstructorValidData() { return [ - 'array' => [[1, 2, 3]], - 'iterable object' => [new ArrayIterator([1, 2, 3])], + 'array' => [[1, 2, 3]], ]; } From 30ef85c27f72d76bd2d46fe70278c163fa691062 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 14 Nov 2025 18:25:44 +0100 Subject: [PATCH 21/34] GH Actions: split "update-cacert" workflow GitHub has the annoying habit of disabling workflows with a cron job after two months if the repo doesn't see any activity. As this repo has been semi-dormant over the past year, this may become more regularly the case for this repo and this creates the following problem: * If the same workflow is used for both the cron job as well as the push/pull_request CI checks... * ... and a repo doesn't have any activity in two months time... * ... the workflow gets disabled... * ... which then also means that CI checks will no longer be run for new PRs.... * ... which means new PRs can't be merged as (in most cases) the repo has branch protection in place and requires that the CI checks pass before a PR can be merged. This commit basically changes the original workflow to a reusable workflow and then creates two new workflows, with different `on` targets, which each trigger the reusable workflow. * One workflow will be triggered via `cron`. * One workflow will have all the other triggers (`push`/`pull_request`/`workflow_dispatch`). This way, if the cron job workflow gets disabled, the workflow which is used for the other triggers will continue to function. The downside of this, is that it may go unnoticed that the cron job has stopped running, but so be it. --- .github/workflows/reusable-update-cacert.yml | 83 +++++++++++++++++++ .github/workflows/update-cacert-cron.yml | 19 +++++ .github/workflows/update-cacert.yml | 84 +------------------- 3 files changed, 105 insertions(+), 81 deletions(-) create mode 100644 .github/workflows/reusable-update-cacert.yml create mode 100644 .github/workflows/update-cacert-cron.yml diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml new file mode 100644 index 000000000..0a3e6d7a1 --- /dev/null +++ b/.github/workflows/reusable-update-cacert.yml @@ -0,0 +1,83 @@ +name: Certificates + +on: + workflow_call: + +jobs: + certificate-check: + name: "Check for updated certificate bundle" + + runs-on: ubuntu-latest + steps: + - name: Determine branches to use + id: branches + env: + HEAD_REF: ${{ github.head_ref }} + PR_NUM: ${{ github.event.pull_request.number }} + run: | + if [[ "${{ github.event_name }}" == 'schedule' ]]; then + echo "BASE=develop" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" + elif [[ "${{ github.event_name }}" == 'push' ]]; then + # Pull requests should always go to develop, even when triggered via a push to stable. + echo "BASE=develop" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" + elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR. + echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> "$GITHUB_OUTPUT" + else # = manual run. + echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" + echo "PR_BRANCH=feature/auto-update-cacert-misc" >> "$GITHUB_OUTPUT" + fi + + - name: Checkout code + uses: actions/checkout@v5 + + - name: Restore etags cache for certificate files + uses: actions/cache@v4 + with: + path: certificates/etag-*.txt + key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }} + restore-keys: | + curl-etag- + + - name: Get current certificate bundle if changed + working-directory: ./certificates + run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem + + - name: Get current SHA256 checksum file for the bundle if changed + working-directory: ./certificates + run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256 + + - name: Verify the checksum of the downloaded bundle + working-directory: ./certificates + run: sha256sum --check cacert.pem.sha256 + + - name: "Debug info: Show git status" + run: git status -vv --untracked=all + + # http://man7.org/linux/man-pages/man1/date.1.html + - name: "Get date" + id: get-date + run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT" + + - name: Create pull request + uses: peter-evans/create-pull-request@v7 + with: + base: ${{ steps.branches.outputs.BASE }} + branch: ${{ steps.branches.outputs.PR_BRANCH }} + delete-branch: true + sign-commits: true + commit-message: ":lock_with_ink_pen: Update certificate bundle" + title: ":lock_with_ink_pen: Update certificate bundle" + body: | + Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}. + + Source: https://curl.se/docs/caextract.html + + This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow. + labels: | + Type: enhancement + reviewers: | + jrfnl + schlessera diff --git a/.github/workflows/update-cacert-cron.yml b/.github/workflows/update-cacert-cron.yml new file mode 100644 index 000000000..b37d842e0 --- /dev/null +++ b/.github/workflows/update-cacert-cron.yml @@ -0,0 +1,19 @@ +name: Certificates Cronjob + +on: + # Run every day at 4:20. + schedule: + - cron: '20 4 * * *' + +# Cancels all previous workflow runs for the same branch that have not yet completed. +concurrency: + # The concurrency group contains the workflow name and the branch name. + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + certificate-check: + # Don't run the cron job on forks. + if: ${{ github.event.repository.fork == false }} + + uses: ./.github/workflows/reusable-update-cacert.yml diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index bfdd93e61..b3e600923 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -1,9 +1,6 @@ name: Certificates on: - # Run every day at 4:20. - schedule: - - cron: '20 4 * * *' # Run on every push to `stable` and `develop`. # Not using path selection here as it appears only the files in the last commit from the push are looked at. push: @@ -14,6 +11,8 @@ on: pull_request: paths: - '.github/workflows/update-cacert.yml' + - '.github/workflows/update-cacert-cron.yml' + - '.github/workflows/reusable-update-cacert.yml' - 'certificates/cacert.pem' - 'certificates/cacert.pem.sha256' # Also allow manually triggering the workflow. @@ -27,81 +26,4 @@ concurrency: jobs: certificate-check: - name: "Check for updated certificate bundle" - # Don't run the cron job on forks. - if: ${{ github.event_name != 'schedule' || github.event.repository.fork == false }} - - runs-on: ubuntu-latest - steps: - - name: Determine branches to use - id: branches - env: - HEAD_REF: ${{ github.head_ref }} - PR_NUM: ${{ github.event.pull_request.number }} - run: | - if [[ "${{ github.event_name }}" == 'schedule' ]]; then - echo "BASE=develop" >> "$GITHUB_OUTPUT" - echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event_name }}" == 'push' ]]; then - # Pull requests should always go to develop, even when triggered via a push to stable. - echo "BASE=develop" >> "$GITHUB_OUTPUT" - echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT" - elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR. - echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" - echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> "$GITHUB_OUTPUT" - else # = manual run. - echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT" - echo "PR_BRANCH=feature/auto-update-cacert-misc" >> "$GITHUB_OUTPUT" - fi - - - name: Checkout code - uses: actions/checkout@v5 - - - name: Restore etags cache for certificate files - uses: actions/cache@v4 - with: - path: certificates/etag-*.txt - key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }} - restore-keys: | - curl-etag- - - - name: Get current certificate bundle if changed - working-directory: ./certificates - run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem - - - name: Get current SHA256 checksum file for the bundle if changed - working-directory: ./certificates - run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256 - - - name: Verify the checksum of the downloaded bundle - working-directory: ./certificates - run: sha256sum --check cacert.pem.sha256 - - - name: "Debug info: Show git status" - run: git status -vv --untracked=all - - # http://man7.org/linux/man-pages/man1/date.1.html - - name: "Get date" - id: get-date - run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT" - - - name: Create pull request - uses: peter-evans/create-pull-request@v7 - with: - base: ${{ steps.branches.outputs.BASE }} - branch: ${{ steps.branches.outputs.PR_BRANCH }} - delete-branch: true - sign-commits: true - commit-message: ":lock_with_ink_pen: Update certificate bundle" - title: ":lock_with_ink_pen: Update certificate bundle" - body: | - Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}. - - Source: https://curl.se/docs/caextract.html - - This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow. - labels: | - Type: enhancement - reviewers: | - jrfnl - schlessera + uses: ./.github/workflows/reusable-update-cacert.yml From b95a259894dc54dcc91a9c18a8c093c917144196 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sun, 16 Nov 2025 04:08:18 +0100 Subject: [PATCH 22/34] GH Actions: allow test runs to succeed on fork As things were, test runs on forks (when the `stable` branch in the fork is updated) would always fail on the "upload code coverage reports" step, as forks (justifiably) don't have access to the `CODECOV_TOKEN`. Fixed now by updating the conditions to run that step. --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 29eaccbca..dd9bf2ea5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -136,7 +136,7 @@ jobs: run: vendor/bin/stop.sh - name: Send coverage report to Codecov - if: ${{ success() && matrix.coverage == true }} + if: ${{ success() && matrix.coverage == true && github.event.repository.fork == false }} uses: codecov/codecov-action@v5 with: token: "${{ secrets.CODECOV_TOKEN }}" From ab543642a8a1e7f95cc0a167f81db45a825fc2ad Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sun, 16 Nov 2025 04:18:45 +0100 Subject: [PATCH 23/34] GH Actions/test: use the latest Python version for mitmproxy Python 3.14 is supported by mitmproxy since mitmproxy 12.2.0 (released Oct 15, 2025). Refs: * [Python 3.14 changelog](https://docs.python.org/release/3.14.0/whatsnew/changelog.html#changelog) * [mitmproxy changelog](https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md#15-october-2025-mitmproxy-1220) --- .github/workflows/quicktest.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 1d1fb3ec6..c46d586ee 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Python uses: actions/setup-python@v6 with: - python-version: '3.13' + python-version: '3.14' - name: Setup proxy server run: pip3 install mitmproxy diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dd9bf2ea5..17d9cfd8e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,7 +80,7 @@ jobs: - name: Setup Python uses: actions/setup-python@v6 with: - python-version: '3.13' + python-version: '3.14' - name: Setup proxy server run: pip3 install mitmproxy From 4535e2afc890d46fa010db20033c14aa2ec5acf7 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 20 Nov 2025 11:59:30 +0100 Subject: [PATCH 24/34] GH Actions: "pin" all action runners Recently there has been more and more focus on securing GH Actions workflows - in part due to some incidents. The problem with "unpinned" action runners is as follows: * Tags are mutable, which means that a tag could point to a safe commit today, but to a malicious commit tomorrow. Note that GitHub is currently beta-testing a new "immutable releases" feature (= tags and release artifacts can not be changed anymore once the release is published), but whether that has much effect depends on the ecosystem of the packages using the feature. Aside from that, it will likely take years before all projects adopt _immutable releases_. * Action runners often don't even point to a tag, but to a branch, making the used action runner a moving target. _Note: this type of "floating major" for action runners used to be promoted as good practice when the ecosystem was "young". Insights have since changed._ While it is convenient to use "floating majors" of action runners, as this means you only need to update the workflows on a new major release of the action runner, the price is higher risk of malicious code being executed in workflows. Dependabot, by now, can automatically submit PRs to update pinned action runners too, as long as the commit-hash pinned runner is followed by a comment listing the released version the commit is pointing to. So, what with Dependabot being capable of updating workflows with pinned action runners, I believe it is time to update the workflows to the _current_ best practice of using commit-hash pinned action runners. The downside of this change is that there will be more frequent Dependabot PRs. If this would become a burden/irritating, the following mitigations can be implemented: 1. Updating the Dependabot config to group updates instead of sending individual PRs per action runner. 2. A workflow to automatically merge Dependabot PRs as long as CI passes. Ref: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions --- .github/workflows/cs.yml | 8 ++++---- .github/workflows/lint.yml | 8 ++++---- .github/workflows/quicktest.yml | 8 ++++---- .github/workflows/reusable-update-cacert.yml | 6 +++--- .github/workflows/test.yml | 12 ++++++------ .github/workflows/update-website.yml | 16 ++++++++-------- 6 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 7eb6924ef..5004ea16b 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Add problem matcher if: ${{ github.event_name == 'pull_request' }} @@ -42,10 +42,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: '7.4' coverage: none @@ -54,7 +54,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-composer-dependencies - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 # Check the code-style consistency of the PHP files. - name: Check PHP code style diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8ebe81897..741394a15 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 @@ -41,7 +41,7 @@ jobs: # @link https://github.com/marketplace/actions/install-composer-dependencies - name: Install Composer dependencies - normal if: ${{ matrix.php != '8.5' }} - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") @@ -49,7 +49,7 @@ jobs: # For PHP "nightly", we need to install with ignore platform reqs. - name: Install Composer dependencies - with ignore platform if: ${{ matrix.php == '8.5' }} - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: composer-options: "--ignore-platform-req=php+" custom-cache-suffix: $(date -u "+%Y-%m") diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index c46d586ee..1cea54f02 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 @@ -48,10 +48,10 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-composer-dependencies - name: Install Composer dependencies - normal - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.14' diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml index 0a3e6d7a1..9534d50d8 100644 --- a/.github/workflows/reusable-update-cacert.yml +++ b/.github/workflows/reusable-update-cacert.yml @@ -31,10 +31,10 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Restore etags cache for certificate files - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: certificates/etag-*.txt key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }} @@ -62,7 +62,7 @@ jobs: run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT" - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: base: ${{ steps.branches.outputs.BASE }} branch: ${{ steps.branches.outputs.PR_BRANCH }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 17d9cfd8e..acd163ffd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,10 +38,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: zend.assertions=1, error_reporting=-1, display_errors=On, display_startup_errors=On, log_errors_max_len=0 @@ -61,7 +61,7 @@ jobs: # @link https://github.com/marketplace/actions/install-composer-dependencies - name: Install Composer dependencies - normal if: ${{ matrix.php != '8.5' }} - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") @@ -69,7 +69,7 @@ jobs: # For PHP "nightly", we need to install with ignore platform reqs. - name: Install Composer dependencies - with ignore platform if: ${{ matrix.php == '8.5' }} - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: composer-options: "--ignore-platform-req=php+" custom-cache-suffix: $(date -u "+%Y-%m") @@ -78,7 +78,7 @@ jobs: run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.14' @@ -137,7 +137,7 @@ jobs: - name: Send coverage report to Codecov if: ${{ success() && matrix.coverage == true && github.event.repository.fork == false }} - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: "${{ secrets.CODECOV_TOKEN }}" files: ./clover.xml diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 28c48d323..ce1fd9e1b 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -49,12 +49,12 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ steps.base_branch.outputs.BRANCH }} - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: '8.1' ini-values: display_errors=On, display_startup_errors=On @@ -73,7 +73,7 @@ jobs: # Retention is normally 90 days, but this artifact is only for review # and use in the next step, so no need to keep it for more than a day. - name: Upload the artifacts folder - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ success() }} with: name: website-updates @@ -111,12 +111,12 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: gh-pages - name: Download the prepared artifacts - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: website-updates path: artifacts @@ -163,7 +163,7 @@ jobs: run: git status -vv --untracked=all - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: base: gh-pages branch: feature/auto-ghpages-update-${{ steps.get_pr_info.outputs.REF }} @@ -184,12 +184,12 @@ jobs: # Test that the site builds correctly. - name: Checkout the newly created branch - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: feature/auto-ghpages-update-${{ steps.get_pr_info.outputs.REF }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0 with: # Use the version as per https://pages.github.com/versions/. ruby-version: 3.3.4 From 1088c11554017ab8944b8273a10d95f4889a5b37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:16:15 +0000 Subject: [PATCH 25/34] GH Actions: Bump actions/upload-artifact from 4.6.2 to 5.0.0 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...330a01c490aca151604b8cf639adc76d48f6c5d4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-website.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index ce1fd9e1b..a9b657289 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -73,7 +73,7 @@ jobs: # Retention is normally 90 days, but this artifact is only for review # and use in the next step, so no need to keep it for more than a day. - name: Upload the artifacts folder - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: ${{ success() }} with: name: website-updates From 8415addbf1bc94b32db9e5a165264f9c13afddc8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:16:19 +0000 Subject: [PATCH 26/34] GH Actions: Bump actions/download-artifact from 5.0.0 to 6.0.0 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/634f93cb2916e3fdff6788551b99b062d0335ce0...018cc2cf5baa6db3ef3c5f8a56943fffe632ef53) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-website.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index a9b657289..166df69bf 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -116,7 +116,7 @@ jobs: ref: gh-pages - name: Download the prepared artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: website-updates path: artifacts From 7ff5d450cf96b56d1309cb9551ea60a1252afe26 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 20 Sep 2025 05:47:39 +0200 Subject: [PATCH 27/34] GH Actions: do not persist credentials > By default, using `actions/checkout` causes a credential to be persisted in the checked-out repo's `.git/config`, so that subsequent `git` operations can be authenticated. > > Subsequent steps may accidentally publicly persist `.git/config`, e.g. by including it in a publicly accessible artifact via `actions/upload-artifact`. > > However, even without this, persisting the credential in the `.git/config` is non-ideal unless actually needed. > > **Remediation** > > Unless needed for `git` operations, `actions/checkout` should be used with `persist-credentials: false`. > > If the persisted credential is needed, it should be made explicit with `persist-credentials: true`. This has now been addressed in all workflows. Refs: * https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ * https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/cs.yml | 4 ++++ .github/workflows/lint.yml | 2 ++ .github/workflows/quicktest.yml | 2 ++ .github/workflows/reusable-update-cacert.yml | 2 ++ .github/workflows/test.yml | 2 ++ .github/workflows/update-website.yml | 3 +++ 6 files changed, 15 insertions(+) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 5004ea16b..608ad18c0 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Add problem matcher if: ${{ github.event_name == 'pull_request' }} @@ -43,6 +45,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 741394a15..1014ae7fe 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 1cea54f02..ab03dcbac 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml index 9534d50d8..6a1516bec 100644 --- a/.github/workflows/reusable-update-cacert.yml +++ b/.github/workflows/reusable-update-cacert.yml @@ -32,6 +32,8 @@ jobs: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Restore etags cache for certificate files uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index acd163ffd..a63307f2c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 166df69bf..d0c2f3777 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ steps.base_branch.outputs.BRANCH }} + persist-credentials: false - name: Install PHP uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 @@ -114,6 +115,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: gh-pages + persist-credentials: false - name: Download the prepared artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -187,6 +189,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: feature/auto-ghpages-update-${{ steps.get_pr_info.outputs.REF }} + persist-credentials: false - name: Set up Ruby uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0 From e47bdadd3758558fd0066789448b65fadecc78d3 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Wed, 19 Nov 2025 02:33:49 +0100 Subject: [PATCH 28/34] GH Actions: update for the release of PHP 8.5 ... which is expected to be released this Thursday. * Builds against PHP 8.5 are no longer allowed to fail. * Update PHP version on which code coverage is run (high should now be 8.5). * Add _allowed to fail_ build against PHP 8.6. --- .github/workflows/lint.yml | 17 +++++------------ .github/workflows/test.yml | 19 ++++++------------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1014ae7fe..9a949096b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -20,10 +20,10 @@ jobs: strategy: matrix: # Lint against the high/low versions of each PHP major + nightly. - php: ['5.6', '7.0', '7.4', '8.0', '8.4', '8.5'] + php: ['5.6', '7.0', '7.4', '8.0', '8.5', '8.6'] name: "Lint: PHP ${{ matrix.php }}" - continue-on-error: ${{ matrix.php == '8.5' }} + continue-on-error: ${{ matrix.php == '8.6' }} steps: - name: Checkout code @@ -41,21 +41,14 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-composer-dependencies - - name: Install Composer dependencies - normal - if: ${{ matrix.php != '8.5' }} + - name: Install Composer dependencies uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: + # For PHP "nightly", we need to install with ignore platform reqs as not all dependencies may allow it yet. + composer-options: ${{ matrix.php == '8.6' && '--ignore-platform-req=php+' || '' }} # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") - # For PHP "nightly", we need to install with ignore platform reqs. - - name: Install Composer dependencies - with ignore platform - if: ${{ matrix.php == '8.5' }} - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 - with: - composer-options: "--ignore-platform-req=php+" - custom-cache-suffix: $(date -u "+%Y-%m") - - name: Lint against parse errors if: ${{ matrix.php >= '7.2' }} run: composer lint -- --checkstyle | cs2pr diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a63307f2c..21b6fcdcc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,18 +23,18 @@ jobs: # Keys: # - coverage: Whether to run the tests with code coverage. matrix: - php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.5'] + php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.6'] coverage: [false] include: # Run code coverage on high/low PHP. - php: '5.6' coverage: true - - php: '8.4' + - php: '8.5' coverage: true name: "Test: PHP ${{ matrix.php }}" - continue-on-error: ${{ matrix.php == '8.5' }} + continue-on-error: ${{ matrix.php == '8.6' }} steps: - name: Checkout code @@ -61,21 +61,14 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-composer-dependencies - - name: Install Composer dependencies - normal - if: ${{ matrix.php != '8.5' }} + - name: Install Composer dependencies uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: + # For PHP "nightly", we need to install with ignore platform reqs as not all dependencies may allow it yet. + composer-options: ${{ matrix.php == '8.6' && '--ignore-platform-req=php+' || '' }} # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") - # For PHP "nightly", we need to install with ignore platform reqs. - - name: Install Composer dependencies - with ignore platform - if: ${{ matrix.php == '8.5' }} - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 - with: - composer-options: "--ignore-platform-req=php+" - custom-cache-suffix: $(date -u "+%Y-%m") - - name: Setup problem matcher to provide annotations for PHPUnit run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" From 04616f4e38ccfddb7bc7333d5bbe222cac4f0a8f Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 21 Nov 2025 11:55:40 +0100 Subject: [PATCH 29/34] CurlTest::testDoesntOverwriteExpectHeaderIfManuallySet(): skip test on PHP 5.6 For some unphantomable reason this test is now structurally failing on PHP 5.6 with Xdebug turned off. schlessera spend some time trying to debug this and trying to figure out why the test only fails on PHP 5.6 and only in the `quicktest` workflow, not in the `test` workflow, without a definitive conclusion. Considering that support for PHP < 7.2 will be dropped in the near future - see ticket 983 -, let's not spend any more time on this and just skip this test on PHP 5.6 (as flaky). --- tests/Transport/CurlTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Transport/CurlTest.php b/tests/Transport/CurlTest.php index d7312ece8..6fdd36f39 100644 --- a/tests/Transport/CurlTest.php +++ b/tests/Transport/CurlTest.php @@ -39,6 +39,7 @@ public function testBadDomain() { /** * @small + * @requires PHP 7.0.0 */ public function testDoesntOverwriteExpectHeaderIfManuallySet() { $headers = [ From 366bbe79dfc006dcdd88c84c9ab3ddcbff6e27b3 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 21 Nov 2025 11:59:05 +0100 Subject: [PATCH 30/34] GH Actions/quicktest: fix proxy cancelling Follow up on 928 which moved the proxy related scripts, but contained an error in the new path for the proxy server stop commands in the `quicktest` workflow. --- .github/workflows/quicktest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index ab03dcbac..cec7490bb 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -98,8 +98,8 @@ jobs: - name: Stop proxy server continue-on-error: true run: | - PORT=9002 scripts/stop.sh - PORT=9003 scripts/stop.sh + PORT=9002 scripts/proxy/stop.sh + PORT=9003 scripts/proxy/stop.sh - name: Stop test server continue-on-error: true From f5539f6a6da5fd2c083c5e1b3e0a4690517ac30b Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 21 Nov 2025 12:07:35 +0100 Subject: [PATCH 31/34] Composer: prevent a lock file from being created Composer 1.10.0 introduced a `lock` config option, which, when set to `false` will prevent a `composer.lock` file from being created and will ignore it when one exists. This is a useful option for packages such as this where the `lock` file has no meaning. It also makes life more straight-forward for contributors as they don't have to remember that for this repo they should use `composer update` instead of `composer install`. Both will now work the same. Refs: https://getcomposer.org/doc/06-config.md#lock --- composer.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 1750eb398..c7eeaa370 100644 --- a/composer.json +++ b/composer.json @@ -43,7 +43,8 @@ "config": { "allow-plugins": { "dealerdirect/phpcodesniffer-composer-installer": true - } + }, + "lock": false }, "require-dev": { "requests/test-server": "dev-main", From ef1fb952b382a826534785f4bbb1b8cf813d2ca8 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 21 Nov 2025 11:42:26 +0100 Subject: [PATCH 32/34] PHP 8.5 | CaseInsensitiveDictionary: final touches 1. PR 956 added some defensive coding to the `offset*()` methods in the `CaseInsensitiveDictionary` class, but was a little overzealous by also adding the defensive coding in the `offsetSet()` method which already would throw an exception and didn't need the extra defensive coding. This has been cleaned up now. 2. When running the tests on PHP 8.5, two more test-only deprecation notices show up, though they don't fail the tests due to the deprecation being hit in a class constant definition, i.e. when reading the class: ``` Deprecated: Using null as an array offset is deprecated, use an empty string instead in path/to/Requests/tests/Utility/CaseInsensitiveDictionary/ArrayAccessTest.php on line 24 Deprecated: Using null as an array offset is deprecated, use an empty string instead in path/to/Requests/tests/Utility/CaseInsensitiveDictionary/GetAllTest.php on line 19 ``` In both cases, the downlow of it is that PHP would _already_ convert the `null` key in the class constant to an empty string _at definition of the array_, so whether the array is declared with a `null` key or a `''` (empty string) key doesn't make any actual difference for the tests as by the time the data would hit the test code, the key would already be converted to an empty string. With that in mind, I've taken the decision to make this empty string key explicit. This doesn't diminish the value of the test and the guard code for the `offset*()` methods receiving a `null` `$key` is still being tested via the `ArrayAccessTest::testOffsetSetWithoutKey()` test and the `ArrayAccessTest::testAccessValidEntries()` with the "Null key will be converted to empty string" data set which is still in place as the data for that test is created via the `DATASET_REVERSED` constant (instead of the `DATASET` constant). This was previously designed this way explicitly to allow for testing the `null` offset case. --- src/Utility/CaseInsensitiveDictionary.php | 4 ---- tests/Utility/CaseInsensitiveDictionaryTest.php | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/Utility/CaseInsensitiveDictionary.php b/src/Utility/CaseInsensitiveDictionary.php index 0104a2e4a..d39a9d358 100644 --- a/src/Utility/CaseInsensitiveDictionary.php +++ b/src/Utility/CaseInsensitiveDictionary.php @@ -97,10 +97,6 @@ public function offsetSet($offset, $value) { $offset = strtolower($offset); } - if ($offset === null) { - $offset = ''; - } - $this->data[$offset] = $value; } diff --git a/tests/Utility/CaseInsensitiveDictionaryTest.php b/tests/Utility/CaseInsensitiveDictionaryTest.php index c5eb884c4..cca5a26f7 100644 --- a/tests/Utility/CaseInsensitiveDictionaryTest.php +++ b/tests/Utility/CaseInsensitiveDictionaryTest.php @@ -24,7 +24,7 @@ class CaseInsensitiveDictionaryTest extends TestCase { 'UPPER CASE' => 'Uppercase key', 'Proper Case' => 'First char in caps in key', 'lower case' => 'Lowercase key', - null => 'Null key will be converted to empty string', + '' => 'Null key will be converted to empty string', false => 'false key will become integer 0 key', true => 'true key will become integer 1 key', 5.0 => 'Float key will be converted to integer key (cut off)', From 3dfeb427f2ae2422d1a56e957fac5d247c4903fa Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 21 Nov 2025 12:45:09 +0100 Subject: [PATCH 33/34] CS: start using PHPCompatibility 10 Long anticipated, finally here: PHPCompatibility 10.0.0-alpha1 :tada: PHPCompatibility 10.0.0 brings huge improvements in both what is being detected (> 50 new sniffs), as well as the detection accuracy for pre-existing sniffs. Even though still "unstable", it is stable enough for our purposes and the advantages of using it outweight the disadvantage of it being an unstable version. By setting the `minimum-stability` and `prefer-stable` settings in the `composer.json`, we can ensure that we don't get the `dev-develop` branch, but rather get a `10.0.0` tag, unstable or not. And what with the improved detection, a number of php incompatibilities previously not flagged, are not flagged, even though we already handle them correctly via conditions. So this commit also adds a few selective ignore comments for those few situations where they are needed. Ref: * https://github.com/PHPCompatibility/PHPCompatibility/wiki/Upgrading-to-PHPCompatibility-10.0 * https://github.com/PHPCompatibility/PHPCompatibility/releases/tag/10.0.0-alpha1 --- composer.json | 6 ++++-- src/Transport/Curl.php | 2 ++ src/Transport/Fsockopen.php | 2 ++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index c7eeaa370..da9a903fc 100644 --- a/composer.json +++ b/composer.json @@ -49,9 +49,9 @@ "require-dev": { "requests/test-server": "dev-main", "squizlabs/php_codesniffer": "^3.6", - "phpcompatibility/php-compatibility": "^9.0", + "phpcompatibility/php-compatibility": "^10.0.0@dev", "wp-coding-standards/wpcs": "^2.0", - "dealerdirect/phpcodesniffer-composer-installer": "^0.7", + "dealerdirect/phpcodesniffer-composer-installer": "^0.7 || ^1.0", "php-parallel-lint/php-parallel-lint": "^1.3.1", "php-parallel-lint/php-console-highlighter": "^0.5.0", "yoast/phpunit-polyfills": "^1.1.5" @@ -62,6 +62,8 @@ "ext-zlib": "For improved performance when decompressing encoded streams", "art4/requests-psr18-adapter": "For using Requests as a PSR-18 HTTP Client" }, + "minimum-stability": "dev", + "prefer-stable": true, "autoload": { "psr-4": { "WpOrg\\Requests\\": "src/" diff --git a/src/Transport/Curl.php b/src/Transport/Curl.php index e5e6107e1..49522f5f9 100644 --- a/src/Transport/Curl.php +++ b/src/Transport/Curl.php @@ -126,6 +126,7 @@ public function __construct() { */ public function __destruct() { if (is_resource($this->handle)) { + // phpcs:ignore PHPCompatibility.FunctionUse.RemovedFunctions.curl_closeDeprecated,Generic.PHP.DeprecatedFunctions.Deprecated curl_close($this->handle); } } @@ -307,6 +308,7 @@ public function request_multiple($requests, $options) { curl_multi_remove_handle($multihandle, $done['handle']); if (is_resource($done['handle'])) { + // phpcs:ignore PHPCompatibility.FunctionUse.RemovedFunctions.curl_closeDeprecated,Generic.PHP.DeprecatedFunctions.Deprecated curl_close($done['handle']); } diff --git a/src/Transport/Fsockopen.php b/src/Transport/Fsockopen.php index 6bd82a32f..c8e657a01 100644 --- a/src/Transport/Fsockopen.php +++ b/src/Transport/Fsockopen.php @@ -148,9 +148,11 @@ public function request($url, $headers = [], $data = [], $options = []) { // Ref: https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures#stream_context_set_option if (function_exists('stream_context_set_options')) { // PHP 8.3+. + // phpcs:ignore PHPCompatibility.FunctionUse.NewFunctions.stream_context_set_optionsFound stream_context_set_options($context, ['ssl' => $context_options]); } else { // PHP < 8.3. + // phpcs:ignore PHPCompatibility.FunctionUse.OptionalToRequiredFunctionParameters stream_context_set_option($context, ['ssl' => $context_options]); } } else { From 457dba4c597f2f8f689b33e87a5f1cff0c271159 Mon Sep 17 00:00:00 2001 From: Alain Schlesser Date: Fri, 21 Nov 2025 08:25:23 +0000 Subject: [PATCH 34/34] Changelog for release 2.0.16 * Includes updating the version number constant. --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ src/Requests.php | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48f4de966..326805a37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,30 @@ Changelog ========= +2.0.16 +------ + +### Overview of changes +- Update bundled certificates as of 2025-11-04. [#954] +- Fixed: PHP 8.5 deprecation notices for `Reflection*::setAccessible()` [#940] +- Fixed: PHP 8.5 deprecation notices for `curl_close()` [#947] Props [@TobiasBg][gh-TobiasBg] +- Fixed: PHP 8.5 deprecation notices `Using null as an array offset` [#956] +- Fixed: Disallow `FilteredIterator` to accept objects (PHP 8.5 deprecation). [#968] + Note: This is technically a breaking change as this was documented behaviour. However, `FilteredIterator` is an internal class and the only detected use of this behavior was in a test. +- Fixed: tests for expired and revoked SSL certificates. [#967] +- Composer: remove `roave/security-advisories` (no longer needed with Composer 2.9+). [#961] +- README: corrected Python Requests library URL. [#944] Props [@pmbaldha][gh-pmbaldha] +- General housekeeping. + +[#940]: https://github.com/WordPress/Requests/pull/940 +[#944]: https://github.com/WordPress/Requests/pull/944 +[#947]: https://github.com/WordPress/Requests/pull/947 +[#954]: https://github.com/WordPress/Requests/pull/954 +[#956]: https://github.com/WordPress/Requests/pull/956 +[#961]: https://github.com/WordPress/Requests/pull/961 +[#967]: https://github.com/WordPress/Requests/pull/967 +[#968]: https://github.com/WordPress/Requests/pull/968 + 2.0.15 ------ @@ -1096,6 +1120,7 @@ Initial release! [gh-ozh]: https://github.com/ozh [gh-patmead]: https://github.com/patmead [gh-peterwilsoncc]: https://github.com/peterwilsoncc +[gh-pmbaldha]: https://github.com/pmbaldha [gh-qibinghua]: https://github.com/qibinghua [gh-remik]: https://github.com/remik [gh-rmccue]: https://github.com/rmccue @@ -1109,6 +1134,7 @@ Initial release! [gh-szepeviktor]: https://github.com/szepeviktor [gh-TimothyBJacobs]: https://github.com/TimothyBJacobs [gh-tnorthcutt]: https://github.com/tnorthcutt +[gh-TobiasBg]: https://github.com/TobiasBg [gh-todeveni]: https://github.com/todeveni [gh-tomsommer]: https://github.com/tomsommer [gh-tonebender]: https://github.com/tonebender @@ -1119,3 +1145,4 @@ Initial release! [gh-xknown]: https://github.com/xknown [gh-Zegnat]: https://github.com/Zegnat [gh-ZsgsDesign]: https://github.com/ZsgsDesign + diff --git a/src/Requests.php b/src/Requests.php index 9dec0abe4..504ff48ea 100644 --- a/src/Requests.php +++ b/src/Requests.php @@ -148,7 +148,7 @@ class Requests { * * @var string */ - const VERSION = '2.0.15'; + const VERSION = '2.0.16'; /** * Selected transport name