chore(deps): Bump guzzlehttp/guzzle from 7.10.0 to 7.12.1#181
chore(deps): Bump guzzlehttp/guzzle from 7.10.0 to 7.12.1#181dependabot[bot] wants to merge 1 commit into
Conversation
dj4oC
left a comment
There was a problem hiding this comment.
- Security: guzzlehttp/guzzle 7.10.0→7.12.1 includes upstream security fixes (GHSA-wpwq-4j6v-78m3 HTTPS-proxy downgrade, GHSA-cwxw-98qj-8qjx dot-only cookie domain match-all) — security-positive bump.
- Stability:
lintandCommits / Validate semantic commitsfail on the head commit; PHP Code Style andbuildpass. - Performance: no findings
- Test coverage: n/a (composer dependency bump)
- TODOs found: 0
- Dependency touched: yes — guzzlehttp/guzzle (MIT)
- CI status: failing (lint, Commits)
Verdict
Good security-relevant dependency bump, but blocked by red lint/commit-message checks. Not approving until CI is green — recommend prioritizing this one given the CVE fixes.
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
|
Holding: CI is failing (not a rebase conflict). Failing: Commits / Validate semantic commits, lint. A rebase won't fix this — needs a human/upstream fix. |
Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 7.10.0 to 7.12.1. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/7.12/CHANGELOG.md) - [Commits](guzzle/guzzle@7.10.0...7.12.1) --- updated-dependencies: - dependency-name: guzzlehttp/guzzle dependency-version: 7.12.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
16445c9 to
1da6b7e
Compare
|
@dependabot rebase |
|
Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry! If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request |
|
@dependabot recreate |
|
Looks like guzzlehttp/guzzle is up-to-date now, so this is no longer needed. |
Bumps guzzlehttp/guzzle from 7.10.0 to 7.12.1.
Release notes
Sourced from guzzlehttp/guzzle's releases.
... (truncated)
Changelog
Sourced from guzzlehttp/guzzle's changelog.
... (truncated)
Commits
d346274Release 7.12.17f537cdReject dot-only cookie domains (#3653)29482f2Adjust version constraints (#3651)fc70174Reject proxy URLs with a malformed scheme in the cURL handlers (#3637)0f4da82Reject HTTPS proxies when libcurl lacks HTTPS-proxy support (#3626)eaa8159Release 7.12.0e0d3349Adjustedguzzlehttp/psr7version constraint and corrected links (#3646)8ca9415Normalize scalar body request options (#3644)1a8d3aaTranslate scheme-less proxies and their credentials in the stream handler (#3...751f7a5Revert too aggressive authenticated proxy tunnel reuse mitigation (#3641)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.