chore(deps): bump php-standard-library/php-standard-library from 6.1.1 to 6.2.1

[dependabot]

Bumps php-standard-library/php-standard-library from 6.1.1 to 6.2.1.

Release notes

Sourced from php-standard-library/php-standard-library's releases.

Hevlaska 6.2.1

Security Release

This release fixes a server-side HTTP/2 vulnerability in the Psl\H2 component (GHSA-pw9p-jvrm-f7rm).

Impact

Psl\H2\ServerConnection did not validate that the total bytes received in HTTP/2 DATA frames matched the content-length header declared in the initial HEADERS frame, in violation of RFC 9113 §8.1.1 and §8.1.2.6. #777

A malicious client could:

• Send more DATA bytes than declared, smuggling additional content past application-level size limits.
• Send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly.

This affects consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected.

Patches

• Parses and validates content-length on server-side HEADERS receive (RFC 9110 §8.6: must be a non-negative decimal integer).
• Tracks cumulative DATA frame payload length per stream.
• Throws Psl\H2\Exception\StreamException on mismatch or overflow.

Client-side validation is intentionally not performed, as RFC 9110 §9.3.2 permits HEAD responses to declare content-length without sending DATA.

Additional fixes

• Psl\H2\ConnectionTrait::waitForSendWindow() now flushes pending buffered writes before suspending. Without this, frames written inside a buffered() block never reach the wire, and a peer that only sends WINDOW_UPDATE after seeing our DATA would deadlock.

Upgrade

composer require php-standard-library/psl:^6.2.1

Credit

Discovered during internal review prior to public exploitation.

Hevlaska 6.2.0

PSL 6.2.0

A massive release — three new networking stack components (HTTP, SMTP, DNS), the EitherOrBoth type with full-outer-join iterators, a major IO toolkit expansion, and broad covariance improvements across the type system.

New Components

HTTP Stack

• HTTP\Message — version-agnostic HTTP message abstractions. Request/Response value objects with streaming bodies (ReadHandleInterface), FieldMap (ordered, case-insensitive headers with lazy index), ProtocolVersion covering HTTP/1.0 through HTTP/3, trailers as Async\Awaitable<FieldMap>, status/method constants per RFC 9110, and Transaction/Exchange for informational (1xx) responses and HTTP/2 server-push pairs.
• HTTP\Client — async HTTP/1.1 and HTTP/2 client with automatic protocol negotiation via ALPN. Connection pooling (H1 idle reuse, H2 session sharing across concurrent requests), event-driven stream dispatch, transparent reconnection on GOAWAY/TCP reset, RedirectClient and RetryClient decorators, per-request SendConfiguration, SSRF protection via DeniedDestinationsMiddleware, SOCKS5 proxy and HTTP CONNECT tunnel support, H2 flow control with BDP auto-tuning, and 104 integration tests against httpbun.

Mail Stack

... (truncated)

Changelog

Sourced from php-standard-library/php-standard-library's changelog.

6.2.1

security

• fix(h2): validate content-length header against received DATA on server connections, preventing HTTP/2 request smuggling on Psl\H2\ServerConnection (GHSA-pw9p-jvrm-f7rm)

6.2.0

features

• feat(either-or-both): introduce EitherOrBoth component - a three-variant disjoint union (Left / Right / Both) for values that may be present on either or both of two sides, inspired by Rust's itertools::EitherOrBoth and Haskell's Data.These. Primary use case: three-way diff of two collections (insert / delete / update events). Secondary: layered config merge, multi-source enrichment, dual-validation, snapshot comparison. Full map / mapLeft / mapRight / mapAny / swap / proceed / apply / containsLeft / containsRight surface; left() / right() / both() free constructors.
• feat(iter): add Iter\merge_join_by and Iter\merge_join_by_key - full-outer-join stream producers that yield EitherOrBoth events as a rewindable Iter\Iterator. merge_join_by is a lazy two-cursor merge over sorted inputs (O(1) memory on first traversal, Psl\Comparison\Order-returning comparator, matching Rust's itertools::merge_join_by); merge_join_by_key is a hash-based variant for keyed inputs that do not need to be pre-sorted (O(|right|) memory).
• feat(io): add IO\IterableReadHandle - a streaming ReadHandleInterface that lazily consumes an iterable<string> without buffering the entire content in memory
• feat(io): add IO\ConcatReadHandle - reads from two handles in sequence, switching to the second when the first reaches EOF
• feat(io): add IO\JoinedReadWriteHandle - joins a ReadHandleInterface and WriteHandleInterface into a single read-write handle, delegating all operations to the respective underlying handle
• feat(io): add IO\TeeWriteHandle - writes to two handles simultaneously with backpressure buffering when the second handle is slower
• feat(io): add IO\SinkWriteHandle - a /dev/null-like write handle that discards all written data
• feat(io): add IO\SinkReadHandle - a read handle that is always at EOF, unlike MemoryHandle('') which only reports EOF after the first read
• feat(io): add IO\SinkReadWriteHandle - a sink that discards writes and always reports EOF on reads
• feat(io): add IO\TruncatedReadHandle - reads up to N bytes from an underlying handle, silently reporting EOF when the limit is reached
• feat(io): add IO\BoundedReadHandle - reads up to N bytes from an underlying handle, throwing RuntimeException if the underlying handle has more data than the limit allows
• feat(io): add IO\FixedLengthReadHandle - reads exactly N bytes from an underlying handle, throwing RuntimeException on premature EOF
• feat(io): add IO\copy_chunked() and IO\copy_bidirectional_chunked() - variants of IO\copy() and IO\copy_bidirectional() that accept a custom chunk size
• feat(http-client): add SendConfiguration::$connectionTimeout - per-request maximum duration for establishing a connection (TCP + TLS handshake), using a linked cancellation token
• feat(type): support 'true'/'false' string literals in Type\bool() coercion - #735 by @​verweto
• feat(mime): introduce MIME component - comprehensive MIME toolkit implementing RFC 2045-2049 and related standards
  • Media type parsing, validation, and content negotiation (MediaType, MediaRange, MediaPreferences) per RFC 2045, RFC 6838, RFC 9110
  • MIME part construction with automatic transfer encoding (Part\Text, Part\Data) per RFC 2045
  • Streaming multipart body construction and parsing (MultiPart\Composite, MultiPart\Alternative, MultiPart\Related, MultiPart\Form, MultiPart\Parser) per RFC 2046, RFC 2387, RFC 7578
  • Immutable header collection with RFC 5322 line folding (Headers)
  • Content-Disposition parsing with safe filename extraction (ContentDisposition) per RFC 2183
  • Content-ID parsing, generation, and cid: URI support (ContentId) per RFC 2392
  • RFC 2231 parameter encoding/decoding with continuations and charset conversion (Parameters)
  • Content sniffing from bytes and seekable handles (Sniff\from_string, Sniff\from_handle)
  • S/MIME signing, verification, encryption, and decryption (SMIME\Signer, SMIME\Verifier, SMIME\Encryptor, SMIME\Decryptor) per RFC 5652, RFC 8551
  • DKIM message signing with RSA-SHA256 and Ed25519-SHA256 (DKIM\Signer) per RFC 6376, RFC 8301, RFC 8463
• feat(message): introduce Message component - RFC 5322 internet message construction, parsing, and serialization
  • Typed header fields with fluent with*() methods (Message) per RFC 5322
  • Address methods accept string|Mailbox|AddressList for convenience
  • Message body as PartInterface from the MIME component per RFC 2045
  • Streaming serialize() and parse() accepting string or ReadHandleInterface
  • Reply, reply-all, and forward with automatic threading headers (In-Reply-To, References) per RFC 5322
  • SMTP envelope derivation (Envelope) per RFC 5321
  • RFC 5322 address parsing: Mailbox, Group, AddressList with RFC 2047 encoded-word support
• feat(smtp): introduce SMTP component - RFC 5321 SMTP client with connection pooling, TLS, and authentication
  • Low-level Connection implementing Network\StreamInterface for protocol-level SMTP operations
  • High-level Transport managing the full SMTP lifecycle: connect, EHLO/HELO, STARTTLS, AUTH, send, RSET
  • Connection pooling with automatic reuse across multiple sends via TCP\SocketPool
  • Implicit TLS (port 465) and STARTTLS upgrade (RFC 3207) with automatic detection
  • EHLO with HELO fallback per RFC 5321

... (truncated)

Commits

• 331f3ab chore: update changelog (#779)
• bd38fdc fix(h2): validate content-length header against received DATA on server conne...
• 0afab61 fix(splitter): consider all 2xx responses as a success (#776)
• dafb10a Increase timeout duration in ChildTest (#773)
• 765b2cd chore(ci): disable mutation tests (#775)
• ae89197 chore: update to mago 1.29.0 (#774)
• 2bdccbb chore: upgrade mago version (#772)
• 5049199 fix(collection): make immutable collection type parameters invariant (#771)
• d930768 chore(ci): fail CI on warning for lint and analyze (#770)
• cb86abe feat(type): Allow null argument to Type\class_string to assert or coerce ba...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)