Skip to content

composer: bump guzzlehttp/guzzle from 7.13.2 to 7.14.2 in /app/full#176

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/composer/app/full/guzzlehttp/guzzle-7.14.2
Jul 15, 2026
Merged

composer: bump guzzlehttp/guzzle from 7.13.2 to 7.14.2 in /app/full#176
github-actions[bot] merged 1 commit into
mainfrom
dependabot/composer/app/full/guzzlehttp/guzzle-7.14.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps guzzlehttp/guzzle from 7.13.2 to 7.14.2.

Release notes

Sourced from guzzlehttp/guzzle's releases.

7.14.2

Security

7.14.1

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.5

Fixed

  • Fail closed when a proxy tunnel isolation cURL option cannot be applied
  • Normalize Stringable proxy credential values before computing connection-reuse section signatures
  • Restore conservative credential redaction for unparseable proxies with multiple @ separators
  • Redact request URI credentials from the stream handler connection error message
  • Reject enabled response streaming (stream => true) on cap-configured stream handlers
  • Distinguish CurlMultiHandler and StreamHandler outcomes in connection-cap custom-handler guidance
  • Reject raw cURL options that conflict with explicit multiplexing guarantees
  • Stop explicit multiplexing conflict checks faulting on non-array cURL multi options values
  • Reject required multiplexing when the final CURLOPT_HTTPAUTH mask permits NTLM
  • Require an integer CURLMOPT_PIPELINING when combined with explicit multiplexing
  • Check the required multiplexing cleartext proxy rule against the final cURL configuration
  • Bound cURL multi handler blocking selects by the earliest pending request delay
  • Stop synchronous cURL multi handler waits blocking on other transfers once the target has settled
  • Stop cURL multi completion processing double-settling promises canceled from completion callbacks
  • Run ready promise queue tasks before sleeping for delayed cURL multi requests
  • Avoid integer overflow in cURL multi delay timing on 32-bit platforms
  • Roll back failed cURL multi handle attachment instead of leaving requests pending
  • Release the cURL easy handle when the on_stats callback throws
  • Normalize response trailer field names to lowercase with values in wire order
  • Retain response trailers only when an on_trailers callback is configured
  • Validate the on_trailers callback before starting a cURL transfer
  • Reject the on_trailers request option on the stream handler, which cannot observe trailers
  • Match cookies, proxy schemes, auth types, and header names with locale-independent ASCII folding
  • Reject proxy option values that Guzzle cannot classify identically to ext-curl

7.14.0

Added

  • Added the on_trailers request option to expose parsed HTTP response trailers
  • Added the multiplex request option with Multiplexing::* modes to control or require HTTP/2 multiplexing
  • Added rejection of explicit multiplex requests when CURLMOPT_PIPELINING disables multiplexing
  • Added the max_host_connections and max_total_connections client and cURL multi handler options

Changed

  • Redirects that discard the request body no longer require it to be rewindable
  • Synchronous cURL multi handler requests no longer wait for other queued transfers
  • Section SOCKS proxy connections by credentials on libcurl before 7.69.0

... (truncated)

Changelog

Sourced from guzzlehttp/guzzle's changelog.

7.14.2 - 2026-07-14

Security

7.14.1 - 2026-07-13

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.5

Fixed

  • Fail closed when a proxy tunnel isolation cURL option cannot be applied
  • Normalize Stringable proxy credential values before computing connection-reuse section signatures
  • Restore conservative credential redaction for unparseable proxies with multiple @ separators
  • Redact request URI credentials from the stream handler connection error message
  • Reject enabled response streaming (stream => true) on cap-configured stream handlers
  • Distinguish CurlMultiHandler and StreamHandler outcomes in connection-cap custom-handler guidance
  • Reject raw cURL options that conflict with explicit multiplexing guarantees
  • Stop explicit multiplexing conflict checks faulting on non-array cURL multi options values
  • Reject required multiplexing when the final CURLOPT_HTTPAUTH mask permits NTLM
  • Require an integer CURLMOPT_PIPELINING when combined with explicit multiplexing
  • Check the required multiplexing cleartext proxy rule against the final cURL configuration
  • Bound cURL multi handler blocking selects by the earliest pending request delay
  • Stop synchronous cURL multi handler waits blocking on other transfers once the target has settled
  • Stop cURL multi completion processing double-settling promises canceled from completion callbacks
  • Run ready promise queue tasks before sleeping for delayed cURL multi requests
  • Avoid integer overflow in cURL multi delay timing on 32-bit platforms
  • Roll back failed cURL multi handle attachment instead of leaving requests pending
  • Release the cURL easy handle when the on_stats callback throws
  • Normalize response trailer field names to lowercase with values in wire order
  • Retain response trailers only when an on_trailers callback is configured
  • Validate the on_trailers callback before starting a cURL transfer
  • Reject the on_trailers request option on the stream handler, which cannot observe trailers
  • Match cookies, proxy schemes, auth types, and header names with locale-independent ASCII folding
  • Reject proxy option values that Guzzle cannot classify identically to ext-curl

7.14.0 - 2026-07-08

Added

  • Added the on_trailers request option to expose parsed HTTP response trailers
  • Added the multiplex request option with Multiplexing::* modes to control or require HTTP/2 multiplexing
  • Added rejection of explicit multiplex requests when CURLMOPT_PIPELINING disables multiplexing
  • Added the max_host_connections and max_total_connections client and cURL multi handler options

... (truncated)

Commits
  • fa88c57 Release 7.14.2
  • 9e4580d Never send first-class Proxy-Authorization headers to origins (#3876)
  • 6b1d242 Release 7.14.1
  • ecc7e53 Bump guzzlehttp/psr7 to ^2.12.5 (#3868)
  • f8e8f4d Reject ambiguous raw proxy option types (#3862)
  • 89e3d12 Tidy the 7.14.1 changelog (#3859)
  • 3ebe5d8 Fix the multiplex conflict check for non-array multi options (#3858)
  • 3384955 Fail closed on tunnel isolation and normalize proxy credentials (#3854)
  • caf0f4e Correct the stream handler connection-cap contract wording (#3842)
  • 97aa9ea Compare cookie and credential header names with ASCII folding (#3848)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 7.13.2 to 7.14.2.
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/7.15/CHANGELOG.md)
- [Commits](guzzle/guzzle@7.13.2...7.14.2)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
  dependency-version: 7.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jul 15, 2026
@github-actions github-actions Bot enabled auto-merge (rebase) July 15, 2026 12:33
@sonarqubecloud

Copy link
Copy Markdown

@github-actions github-actions Bot merged commit 17ce133 into main Jul 15, 2026
18 checks passed
@dependabot dependabot Bot deleted the dependabot/composer/app/full/guzzlehttp/guzzle-7.14.2 branch July 15, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants