Require patched Guzzle and PSR-7 versions

[GrahamCampbell]

Security hardening. Versions that exist before GuzzleHttp\Psr7\Utils have CVEs published for them, and our PSR-7 v3 library will have breaking changes, so you will want to control when the upgrade to that is allowed.

[k0ka]

Well, it would break the backward compatibility, so we should do this only when a new major version is released

[GrahamCampbell]

I don't agree. Moreover, allowing PSR-7 v3 would cause real issues. If people really want to use super old insecure code, composer will still let them do it by resolving an older version of your library, or by pretending their older version of guzzle is a newer version using the as syntax.

[GrahamCampbell]

It is very common for people to bump versions of dependencies in patch and minor releases across the PHP ecosystem, both among packages that claim they follow semver, but do a bad job, and those that actually follow it well.

[k0ka]

Ok, let's try it.
Thanks for PR.

[GrahamCampbell]

[GrahamCampbell]

FYI there are now some additional CVEs relevant to guzzlehttp/psr7 that I published last week. There is no patch for the dead 1.x line. I don't think we need to bother incrementing the versions at this time though, because the code paths are not reachable from this library. 1.x is EOL as of 2024-06-30. The CVEs are:

• GHSA-34xg-wgjx-8xph
• GHSA-hq7v-mx3g-29hw