Fixes #834

[filisko]

Hi,

This PR fixes #834.

[chalasr]

Apologies for the breakage, and thanks a lot for the patch @filisko

[filisko]

@chalasr you welcome, thanks for the quick response ;)

[chalasr]

Released in v2.11.1 :)

[wiese]

Stumbled upon this while researching why, when running composer require jwt-auth, a deprecated library (namshi/jose) and with it a surprising polyfill (symfony/polyfill-php56 on a php 8 system) were added.

Looking at the change which initially removed namshi/jose from here (#508), it appears to have done what it did with thought and intentionally ("The "namshi/jose" library is deprecated, this bundle does not require it anymore. If you need to keep using it, require it in your composer.json."). In hindsight the better versioning solution might have been to release a v3 with the removal right away but that ship has sailed.

In the mean time, until there actually is a v3, "fix" #835 now puts all new users of this bundle (who care about their application supply chain) in a tight spot instead of only expecting users updating their bundle to become active in case they still depend on the deprecated library (and they really should become active anyway).

Does this resonate? Am I missing something? Are there arguments against releasing a v3 (I see one has been planned for a while but there is really no shortage of integers for version numbers)?

composer info lexik/jwt-authentication-bundle
...
versions : * v2.13.0
...
requires
namshi/jose ^7.2

composer why namshi/jose
lexik/jwt-authentication-bundle  v2.13.0  requires  namshi/jose (^7.2)

composer info namshi/jose
...
versions : * 7.2.3
...
requires
symfony/polyfill-php56 ^1.0

composer why symfony/polyfill-php56
namshi/jose  7.2.3  requires  symfony/polyfill-php56 (^1.0)