PHP 8.2 compatibility: upgrade webmozarts/assert to 1.11.0

[andypost]

Part of #5168 (comment)

PHP Deprecated:  Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973

Deprecated: Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973
PHP Deprecated:  Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973

Deprecated: Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973
PHP Deprecated:  Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973

Deprecated: Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973
PHP Deprecated:  Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973

Deprecated: Use of "static" in callables is deprecated in /var/www/html/web/vendor/webmozart/assert/src/Assert.php on line 1973

[greg-1-anderson]

The Unish\SecurityUpdatesTest::testNoInsecureProductionPhpPackage failure usually goes away if you just run a general composer update to update all of the dependencies in the lock file.

[andypost]

@greg-1-anderson is it ok to update all dependencies?

[weitzman]

Its OK, but there is a chance your PR will need a reroll if #5165 gets in first. That also updates all.

[andypost]

Than would be great to create new releases for Consolidation components and reroll this one

[andypost]

I mean this 2

• PHP 8.2 compatibility: ${} string interpolation deprecated consolidation/config#56
• PHP 8.2 compatibility: dynamic properties are deprecated consolidation/annotated-command#271

[greg-1-anderson]

Merged the consolidation PRs; will make releases in a bit.

[greg-1-anderson]

Also, I'm pretty sure that the composer.lock changes in #5165 are only to avoid the Unish\SecurityUpdatesTest::testNoInsecureProductionPhpPackage failure. If we merge this one first, then we can reroll the archive commands without a composer.lock change.

[greg-1-anderson]

Tagged consolidation/config:2.1.1 and consolidation/annotated-command:4.5.6. I didn't turn on testing for PHP 8.2 yet, though.

[greg-1-anderson]

Kind of odd that only the highest test is failing in testNoInsecureProductionPhpPackage. Didn't look into why that is; perhaps we can merge this anyway, and investigate that later?

[weitzman]

That highest test installs core-recommended:10.0.x-dev and then we run a security check against that and find that guzzlehttp/guzzle is insecure. I'm not sure why. Exploring that in #5171.

[weitzman]

Composer is getting us guzzle 7.4.4 which is insecure. I would think we would be getting 7.4.5.

• https://app.circleci.com/pipelines/github/drush-ops/drush/4001/workflows/616c3be2-d6b3-442e-bdba-4846f133cb96/jobs/24359/steps. See composer show and composer why steps
• https://packagist.org/packages/guzzlehttp/guzzle4
• https://www.drupal.org/node/3285240 should have fixed this but isnt AFAICT

I'm OK with merging this PR and will do so in a day or two barring any negative comments.

[weitzman]

I see whats happenning https://github.com/drupal/core-recommended/blob/b7b0bc4cb7105bb329a2ec9a57c612607ec22744/composer.json#L18 is pinning us via a psr7 dependency. See https://www.drupal.org/project/drupal/issues/3291780