Update firebase/php-jwt support to 6.*

[ItsReddi]

Firebase PHP-JWT package is required by this package.
It is available in a new version that is not supported by this client.

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - google/apiclient is locked to version v2.12.1 and an update of this package was not requested.
    - google/apiclient v2.12.1 requires firebase/php-jwt ~2.0||~3.0||~4.0||~5.0 -> found firebase/php-jwt[2.0.0, v2.1.0, v2.2.0, v3.0.0, v4.0.0, v5.0.0, ..., v5.5.1] but it conflicts with your root composer.json require (6.0.0).


Installation failed, reverting ./composer.json and ./composer.lock to their original content.

[bshaffer]

Hello!
An easy way around this is to have your application support both 5.5 and 6.0. The 5.5 package is forwards-compatible with 6.0, and so any package should be able to support both, which will resolve this issue until we can support 6.0.

[nickakitch]

Adding to this that there is a security flaw that affects php-jwt versions <6.0.0.

You can find more information about the fixes to the firebase/php-jwt here:
https://github.com/firebase/php-jwt/releases/tag/v6.0.0
firebase/php-jwt#351
https://security.snyk.io/vuln/SNYK-PHP-FIREBASEPHPJWT-2434829

[sakarikl]

There is already firebase 6.0 support. This issue has been forgotten to close.

[sakarikl]

But google/auth still does not support firebase 6.0 So you can not actually use firebase 6.0 even though this project allows it.

[bshaffer]

there is a security flaw that affects php-jwt versions <6.0.0.

@nickakitch that isn't entirely accurate... while it's possible to still use the library incorrectly in firebase/php-jwt v5.5, the Key object exists. So you can (in your own application) close the security hole using v5.5.

Another advantage to this is once googleapis/google-auth-library-php#391 is merged and tagged, which closes the security hole for good, your applications will already be safe and compatible with v6.0.

[bshaffer]

Support has been added in v2.12.3. Thanks for your patience.

[jkcv]

The burning question is how does one upgrade firebase/php-jwt to version 6.0.0?

It seems to me to be an obvious question that mere mortals would like to know!!

[bshaffer]

Try running composer why firebase/php-jwt to see which dependency is preventing you from upgrading to 6.0. It shouldn't be this library or any other Google library, as we've all added support!

[jkcv]

Thanks, I had no idea that this had to do with composer.

Here is the response to composer why firebase/php-jwt

drupal/recommended-project - requires firebase/php-jwt (^5.5)
civicrm/civicrm-core 5.60.0 requires firebase/php-jwt (>=3 <6)

It looks like neither is ready yet for 6.0. Drupal wants 5.5 and civicrm wants less than 6.

[jkcv]

This issue still has not been resolved. Does anyone have a hack to solve this issue?