Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency react/http to v1 - autoclosed #131

Closed

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Sep 9, 2022

This PR contains the following updates:

Package Type Update Change
react/http require major ^0.8.3 -> ^1.7.0

By merging this PR, the issue #130 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
Medium Medium 5.3 CVE-2022-36032

Release Notes

reactphp/http (react/http)

v1.7.0

Compare Source

This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.

  • Security fix: This release fixes a medium severity security issue in ReactPHP's HTTP server component
    that affects all versions between v0.7.0 and v1.6.0. All users are encouraged to upgrade immediately.
    Special thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this release.
    (CVE-2022-36032 reported by @​lavish and fixed by @​clue)

  • Feature: Improve HTTP server performance by ~20%, reuse syscall values for clock time and socket addresses.
    (#​457 and #​467 by @​clue)

  • Feature: Full PHP 8.2+ compatibility, refactor internal Transaction to avoid assigning dynamic properties.
    (#​459 by @​clue and #​466 by @​WyriHaximus)

  • Feature / Fix: Allow explicit Content-Length response header on HEAD requests.
    (#​444 by @​mrsimonbennett)

  • Minor documentation improvements.
    (#​452 by @​clue, #​458 by @​nhedger, #​448 by @​jorrit and #​446 by @​SimonFrings)

  • Improve test suite, update to use new reactphp/async package instead of clue/reactphp-block,
    skip memory tests when lowering memory limit fails and fix legacy HHVM build.
    (#​464 and #​440 by @​clue and #​450 by @​SimonFrings)

v1.6.0

Compare Source

  • Feature: Add factory methods for common HTML/JSON/plaintext/XML response types.
    (#​439 by @​clue)

    $response = React\Http\Response\html("<h1>Hello wörld!</h1>\n");
    $response = React\Http\Response\json(['message' => 'Hello wörld!']);
    $response = React\Http\Response\plaintext("Hello wörld!\n");
    $response = React\Http\Response\xml("<message>Hello wörld!</message>\n");
  • Feature: Expose all status code constants via Response class.
    (#​432 by @​clue)

    $response = new React\Http\Message\Response(
        React\Http\Message\Response::STATUS_OK, // 200 OK
        …
    );
    $response = new React\Http\Message\Response(
        React\Http\Message\Response::STATUS_NOT_FOUND, // 404 Not Found
        …
    );
  • Feature: Full support for PHP 8.1 release.
    (#​433 by @​SimonFrings and #​434 by @​clue)

  • Feature / Fix: Improve protocol handling for HTTP responses with no body.
    (#​429 and #​430 by @​clue)

  • Internal refactoring and internal improvements for handling requests and responses.
    (#​422 by @​WyriHaximus and #​431 by @​clue)

  • Improve documentation, update proxy examples, include error reporting in examples.
    (#​420, #​424, #​426, and #​427 by @​clue)

  • Update test suite to use default loop.
    (#​438 by @​clue)

v1.5.0

Compare Source

  • Feature: Update Browser signature to take optional $connector as first argument and
    to match new Socket API without nullable loop arguments.
    (#​418 and #​419 by @​clue)

    // unchanged
    $browser = new React\Http\Browser();
    
    // deprecated
    $browser = new React\Http\Browser(null, $connector);
    $browser = new React\Http\Browser($loop, $connector);
    
    // new
    $browser = new React\Http\Browser($connector);
    $browser = new React\Http\Browser($connector, $loop);
  • Feature: Rename Server to HttpServer to avoid class name collisions and
    to avoid any ambiguities with regards to the new SocketServer API.
    (#​417 and #​419 by @​clue)

    // deprecated
    $server = new React\Http\Server($handler);
    $server->listen(new React\Socket\Server(8080));
    
    // new
    $http = new React\Http\HttpServer($handler);
    $http->listen(new React\Socket\SocketServer('127.0.0.1:8080'));

v1.4.0

Compare Source

A major new feature release, see release announcement.

  • Feature: Simplify usage by supporting new default loop.
    (#​410 by @​clue)

    // old (still supported)
    $browser = new React\Http\Browser($loop);
    $server = new React\Http\Server($loop, $handler);
    
    // new (using default loop)
    $browser = new React\Http\Browser();
    $server = new React\Http\Server($handler);

v1.3.0

Compare Source

  • Feature: Support persistent connections (Connection: keep-alive).
    (#​405 by @​clue)

    This shows a noticeable performance improvement especially when benchmarking
    using persistent connections (which is the default pretty much everywhere).
    Together with other changes in this release, this improves benchmarking
    performance by around 100%.

  • Feature: Require Host request header for HTTP/1.1 requests.
    (#​404 by @​clue)

  • Minor documentation improvements.
    (#​398 by @​fritz-gerneth and #​399 and #​400 by @​pavog)

  • Improve test suite, use GitHub actions for continuous integration (CI).
    (#​402 by @​SimonFrings)

v1.2.0

Compare Source

  • Feature: Keep request body in memory also after consuming request body.
    (#​395 by @​clue)

    This means consumers can now always access the complete request body as
    detailed in the documentation. This allows building custom parsers and more
    advanced processing models without having to mess with the default parsers.

v1.1.0

Compare Source

  • Feature: Support upcoming PHP 8 release, update to reactphp/socket v1.6 and adjust type checks for invalid chunk headers.
    (#​391 by @​clue)

  • Feature: Consistently resolve base URL according to HTTP specs.
    (#​379 by @​clue)

  • Feature / Fix: Expose Transfer-Encoding: chunked response header and fix chunked responses for HEAD requests.
    (#​381 by @​clue)

  • Internal refactoring to remove unneeded MessageFactory and Response classes.
    (#​380 and #​389 by @​clue)

  • Minor documentation improvements and improve test suite, update to support PHPUnit 9.3.
    (#​385 by @​clue and #​393 by @​SimonFrings)

v1.0.0

Compare Source

A major new feature release, see release announcement.

  • First stable LTS release, now following SemVer.
    We'd like to emphasize that this component is production ready and battle-tested.
    We plan to support all long-term support (LTS) releases for at least 24 months,
    so you have a rock-solid foundation to build on top of.

This update involves some major new features and a number of BC breaks due to
some necessary API cleanup. We've tried hard to avoid BC breaks where possible
and minimize impact otherwise. We expect that most consumers of this package
will be affected by BC breaks, but updating should take no longer than a few
minutes. See below for more details:

  • Feature: Add async HTTP client implementation.
    (#​368 by @​clue)

    $browser = new React\Http\Browser($loop);
    $browser->get($url)->then(function (Psr\Http\Message\ResponseInterface $response) {
        echo $response->getBody();
    });

    The code has been imported as-is from clue/reactphp-buzz v2.9.0,
    with only minor changes to the namespace and we otherwise leave all the existing APIs unchanged.
    Upgrading from clue/reactphp-buzz v2.9.0
    to this release should be a matter of updating some namespace references only:

    // old
    $browser = new Clue\React\Buzz\Browser($loop);
    
    // new
    $browser = new React\Http\Browser($loop);
  • Feature / BC break: Add LoopInterface as required first constructor argument to Server and
    change Server to accept variadic middleware handlers instead of array.
    (#​361 and #​362 by @​WyriHaximus)

    // old
    $server = new React\Http\Server($handler);
    $server = new React\Http\Server([$middleware, $handler]);
    
    // new
    $server = new React\Http\Server($loop, $handler);
    $server = new React\Http\Server($loop, $middleware, $handler);
  • Feature / BC break: Move Response class to React\Http\Message\Response and
    expose ServerRequest class to React\Http\Message\ServerRequest.
    (#​370 by @​clue)

    // old
    $response = new React\Http\Response(200, [], 'Hello!');
    
    // new
    $response = new React\Http\Message\Response(200, [], 'Hello!');
  • Feature / BC break: Add StreamingRequestMiddleware to stream incoming requests, mark StreamingServer as internal.
    (#​367 by @​clue)

    // old: advanced StreamingServer is now internal only
    $server = new React\Http\StreamingServer($handler);
    
    // new: use StreamingRequestMiddleware instead of StreamingServer
    $server = new React\Http\Server(
         $loop,
         new React\Http\Middleware\StreamingRequestMiddleware(),
         $handler
    );
  • Feature / BC break: Improve default concurrency to 1024 requests and cap default request buffer at 64K.
    (#​371 by @​clue)

    This improves default concurrency to 1024 requests and caps the default request buffer at 64K.
    The previous defaults resulted in just 4 concurrent requests with a request buffer of 8M.
    See Server for details on how to override these defaults.

  • Feature: Expose ReactPHP in User-Agent client-side request header and in Server server-side response header.
    (#​374 by @​clue)

  • Mark all classes as final to discourage inheriting from it.
    (#​373 by @​WyriHaximus)

  • Improve documentation and use fully-qualified class names throughout the documentation and
    add ReactPHP core team as authors to composer.json and license file.
    (#​366 and #​369 by @​WyriHaximus and #​375 by @​clue)

  • Improve test suite and support skipping all online tests with --exclude-group internet.
    (#​372 by @​clue)

v0.8.7

Compare Source

  • Fix: Fix parsing multipart request body with quoted header parameters (dot net).
    (#​363 by @​ebimmel)

  • Fix: Fix calculating concurrency when post_max_size ini is unlimited.
    (#​365 by @​clue)

  • Improve test suite to run tests on PHPUnit 9 and clean up test suite.
    (#​364 by @​SimonFrings)

v0.8.6

Compare Source

v0.8.5

Compare Source

  • Internal refactorings and optimizations to improve request parsing performance.
    Benchmarks suggest number of requests/s improved by ~30% for common GET requests.
    (#​345, #​346, #​349 and #​350 by @​clue)

  • Add documentation and example for JSON/XML request body and
    improve documentation for concurrency and streaming requests and for error handling.
    (#​341 and #​342 by @​clue)

v0.8.4

Compare Source

  • Improvement: Internal refactoring to simplify response header logic.
    (#​321 by @​clue)

  • Improvement: Assign Content-Length response header automatically only when size is known.
    (#​329 by @​clue)

  • Improvement: Import global functions for better performance.
    (#​330 by @​WyriHaximus)


  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Sep 9, 2022
@mend-for-github-com mend-for-github-com bot changed the title chore(deps): update dependency react/http to v1 Update dependency react/http to v1 Jan 29, 2023
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/react-http-1.x branch from e85c3b7 to 150fb2d Compare February 20, 2024 03:57
@mend-for-github-com mend-for-github-com bot changed the title Update dependency react/http to v1 Update dependency react/http to v1 - autoclosed Apr 30, 2024
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/react-http-1.x branch April 30, 2024 04:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security fix Security fix generated by Mend
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants