Skip to content

Update dependency guzzlehttp/guzzle to ^7.12.3 (master)#1

Open
mend-for-github-com[bot] wants to merge 1 commit into
masterfrom
whitesource-remediate/master-guzzlehttp-guzzle-7.x
Open

Update dependency guzzlehttp/guzzle to ^7.12.3 (master)#1
mend-for-github-com[bot] wants to merge 1 commit into
masterfrom
whitesource-remediate/master-guzzlehttp-guzzle-7.x

Conversation

@mend-for-github-com

@mend-for-github-com mend-for-github-com Bot commented Jun 21, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
guzzlehttp/guzzle (source) require minor ^7.0^7.12.3

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability Reachability
Medium Medium 5.9 CVE-2026-55568
Medium Medium 5.8 CVE-2026-55767
Medium Medium 4.7 CVE-2026-59883

Release Notes

guzzle/guzzle (guzzlehttp/guzzle)

v7.12.3

Compare Source

Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.3
Security

v7.12.2

Compare Source

Fixed
  • Clamp out-of-range Max-Age so a very large value no longer overflows to an already-expired timestamp
  • Use strict comparison in CookieJar conflict resolution so distinct numeric-string names don't overwrite
  • Store a cookie whose Domain has a trailing dot on the origin host instead of silently discarding it
  • Fix StreamHandler hard-failing on bracketed IPv6 literal hosts when force_ip_resolve is set
  • Use strict cookie Path comparison so CookieJar::clear() with a numeric path keeps a distinct-path cookie
  • Fixed cookie handling for falsey Domain, Max-Age, path, and name values
  • Fixed decode_content handling for falsey string values
  • Fixed deprecated request option values reaching built-in handlers before normalization

v7.12.1

Compare Source

Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.1
Fixed
  • Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them
Security

v7.12.0

Compare Source

Added
  • Added RequestOptions constants for curl, retries, and stream_context
Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12
  • Constrain cURL transport sharing to safe libcurl DNS and SSL session support
  • Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
  • Ignore proxy environment variables when the proxy request option makes a decision
  • Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
  • Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
  • Normalize no-proxy domain and IP literal matching across the cURL and stream handlers
Deprecated
  • Deprecated the request-level handler option, which will be ignored in 8.0
  • Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
  • Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
  • Deprecated PHP stream context options outside the built-in stream handler allow-list
  • Deprecated passing ntlm as a built-in auth type
  • Deprecated Utils::describeType()
  • Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
  • Deprecated non-string scalar values in the body option; 8.0 rejects them
Fixed
  • Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
  • Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
  • Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
  • Fix the stream handler not applying scheme-less proxies and their credentials

v7.11.2

Compare Source

Fixed
  • Fixed non-finite float values emitting coercion warnings on PHP 8.5

v7.11.1

Compare Source

Fixed
  • Ignore request-level transport_sharing, matching other unknown request options

v7.11.0

Compare Source

Added
  • Added support for providing the proxy request option's no value as a comma-delimited string
  • Added the protocols request option to restrict allowed URI schemes for request transfers
  • Added cert_type and ssl_key_type request options for TLS certificate and private-key file types
  • Added PHP stream handler support for the ssl_key request option
  • Added transport sharing via the transport_sharing client and cURL handler options
Changed
  • Adjusted guzzlehttp/promises version constraint to ^2.5
  • Adjusted guzzlehttp/psr7 version constraint to ^2.11
  • Allowed domainless SetCookie instances to be stored without wildcard request matching
  • Changed no-proxy matching to respect request ports for host-and-port rules
  • Prevented CurlMultiHandler destructors from throwing during cleanup
  • Improved invalid response handling across handlers
Deprecated
  • Deprecated non-iterable Pool request collections, which will be rejected in 8.0
  • Deprecated non-uppercase easy request methods; 8.0 preserves method casing
  • Deprecated non-string headers request option values, which will be rejected in 8.0
  • Deprecated empty headers request option value arrays, which will be rejected in 8.0
  • Deprecated empty and malformed request protocol versions, which will be rejected in 8.0
  • Deprecated conflicting raw cURL request options, including CURLOPT_SHARE, which will be rejected in 8.0
  • Deprecated scalar-coerced idn_conversion request option values, which will be rejected in 8.0
  • Deprecated invalid documented request option value types, which will be rejected in 8.0
  • Deprecated selected request options ignored by incompatible built-in handlers, which will be rejected in 8.0
  • Deprecated RequestException::wrapException(), which will be removed in 8.0
  • Deprecated RetryMiddleware::exponentialDelay(), which will be removed in 8.0

v7.10.6

Compare Source

Fixed
  • CurlMultiHandler now rejects the promise when CurlFactory::finish() throws, preserving sibling transfers
  • SetCookie now normalizes unparseable Expires values to null instead of false
  • Fix stream handler decoded gzip/deflate truncation by dropping invalid Content-Length

v7.10.5

Compare Source

Fixed
  • Defer cURL multi cancellation cleanup until after progress callbacks return
  • Classify additional stream handler connection failures as ConnectException

v7.10.4

Compare Source

Fixed
  • Fix IPv6 literal matching in no-proxy rules
  • Handle cURL multi completion messages without handles after cancelled transfers
  • Fix magic client request methods such as options() to uppercase inferred HTTP methods

v7.10.3

Compare Source

Fixed
  • Fail clearly when an HTTP response header line is invalid
  • Remove middleware by name when the name is also a callable string
  • Treat empty request protocol versions as HTTP/1.1

v7.10.2

Compare Source

Fixed
  • Normalize HTTP version request options before applying them to PSR-7 requests
  • Use string values for headers generated by request preparation and response decoding

v7.10.1

Compare Source

Fixed
  • Fail clearly when cURL options cannot be applied
  • Fail clearly when the certificate option is malformed
  • Fail clearly when JSON decode depth is invalid
  • Fail clearly when session cookie data is malformed
  • Fail clearly when the stream progress option is not callable
  • Prevent response creation failures from exposing stale cURL responses

v7.10.0

Compare Source

Added
  • Support for PHP 8.5
Changed
  • Adjusted guzzlehttp/promises version constraint to ^2.3
  • Adjusted guzzlehttp/psr7 version constraint to ^2.8

v7.9.3

Compare Source

Changed
  • Remove explicit content-length header for GET requests
  • Improve compatibility with bad servers for boolean cookie values

v7.9.2

Compare Source

Fixed
  • Adjusted handler selection to use cURL if its version is 7.21.2 or higher, rather than 7.34.0

v7.9.1

Compare Source

Fixed
  • Fix TLS 1.3 check for HTTP/2 requests

v7.9.0

Compare Source

Changed
  • Improve protocol version checks to provide feedback around unsupported protocols
  • Only select the cURL handler by default if 7.34.0 or higher is linked
  • Improved CurlMultiHandler to avoid busy wait if possible
  • Dropped support for EOL guzzlehttp/psr7 v1
  • Improved URI user info redaction in errors

v7.8.2

Compare Source

Added
  • Support for PHP 8.4

v7.8.1

Compare Source

Changed
  • Updated links in docs to their canonical versions
  • Replaced call_user_func* with native calls

v7.8.0

Compare Source

Added
  • Support for PHP 8.3
  • Added automatic closing of handles on CurlFactory object destruction

v7.7.1

Compare Source

Changed
  • Remove the need for AllowDynamicProperties in CurlMultiHandler

v7.7.0

Compare Source

Added
  • Support guzzlehttp/promises v2

v7.6.1

Compare Source

Fixed
  • Fix SetCookie::fromString MaxAge deprecation warning and skip invalid MaxAge values

v7.6.0

Compare Source

Added
  • Support for setting the minimum TLS version in a unified way
  • Apply on request the version set in options parameters

v7.5.3

Compare Source

See change log for changes.

v7.5.2

Compare Source

Fixed
  • Fixed set cookie constructor validation
  • Fixed handling of files with '0' body
Changed
  • Corrected docs and default connect timeout value to 300 seconds

v7.5.1

Compare Source

Fixed
  • Fixed NO_PROXY settings so that setting the proxy option to no overrides the env variable
Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^1.9.1 || ^2.4.5

v7.5.0

Compare Source

Added
  • Support PHP 8.2
  • Add request to delay closure params

v7.4.5

Compare Source

Fixed
  • Fix change in port should be considered a change in origin
  • Fix CURLOPT_HTTPAUTH option not cleared on change of origin

v7.4.4

Compare Source

Fixed
  • Fix failure to strip Authorization header on HTTP downgrade
  • Fix failure to strip the Cookie header on change in host or HTTP downgrade

v7.4.3

Compare Source

Fixed
  • Fix cross-domain cookie leakage

v7.4.2

Compare Source

Fixed
  • Remove curl auth on cross-domain redirects to align with the Authorization HTTP header
  • Reject non-HTTP schemes in StreamHandler
  • Set a default ssl.peer_name context in StreamHandler to allow force_ip_resolve

v7.4.1

Compare Source

Changed
  • Replaced implicit URI to string coercion #​2946
  • Allow symfony/deprecation-contracts version 3 #​2961
Fixed
  • Only close curl handle if it's done #​2950

v7.4.0

Compare Source

Added
Fixed
  • Make sure we always call restore_error_handler() #​2915
  • Fix progress parameter type compatibility between the cURL and stream handlers #​2936
  • Throw InvalidArgumentException when an incorrect headers array is provided #​2916, #​2942
Changed

v7.3.0

Compare Source

Added
  • Support for DER and P12 certificates #​2413
  • Support the cURL (http://) scheme for StreamHandler proxies #​2850
  • Support for guzzlehttp/psr7:^2.0 #​2878
Fixed
  • Handle exceptions on invalid header consistently between PHP versions and handlers #​2872

v7.2.0

Compare Source

Added
Fixed
  • Handle exceptions during response creation #​2591
  • Fix CURLOPT_ENCODING not to be overwritten #​2595
  • Make sure the Request always has a body object #​2804
Changed
  • The TooManyRedirectsException has a response #​2660
  • Avoid "functions" from dependencies #​2712
Deprecated
  • Using environment variable GUZZLE_CURL_SELECT_TIMEOUT #​2786

v7.1.1

Compare Source

Fixed
  • Incorrect EOF detection for response body streams on Windows.
Changed
  • We dont connect curl sink on HEAD requests.
  • Removed some PHP 5 workarounds

v7.1.0

Compare Source

Added
  • GuzzleHttp\MessageFormatterInterface
Fixed
  • Fixed issue that caused cookies with no value not to be stored.
  • On redirects, we allow all safe methods like GET, HEAD and OPTIONS.
  • Fixed logging on empty responses.
  • Make sure MessageFormatter::format returns string
Deprecated
  • All functions in GuzzleHttp has been deprecated. Use static methods on Utils instead.
  • ClientInterface::getConfig()
  • Client::getConfig()
  • Client::__call()
  • Utils::defaultCaBundle()
  • CurlFactory::LOW_CURL_VERSION_NUMBER

v7.0.1

Compare Source

  • Fix multiply defined functions fatal error #​2699

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com Bot added the security fix Security fix generated by Mend label Jun 21, 2026
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency guzzlehttp/guzzle to ^7.12.1 (master) Update dependency guzzlehttp/guzzle to ^7.12.3 (master) Jul 9, 2026
@mend-for-github-com mend-for-github-com Bot force-pushed the whitesource-remediate/master-guzzlehttp-guzzle-7.x branch from 0707041 to bccc32d Compare July 9, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

security fix Security fix generated by Mend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants