[Security] Bump symfony/http-client from 5.0.7 to 5.1.8

[dependabot-preview]

Bumps symfony/http-client from 5.0.7 to 5.1.8. This update includes a security fix.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient

Affected versions: >=4.3.0, =5.1.0, <5.1.5

Release notes

Sourced from symfony/http-client's releases.

v5.1.8

Changelog (symfony/http-client@v5.1.7...v5.1.8)

• bug #38647 relax auth bearer format requirements (xabbuh)
• bug #38551 Remove content-type check on toArray methods (jderusse)
• bug #38530 fix reading the body after a ClientException (nicolas-grekas)
• bug #38493 Fix CurlHttpClient memory leak (HypeMC)

v5.1.7

Changelog (symfony/http-client@v5.1.6...v5.1.7)

• bug #38388 Always "buffer" empty responses (nicolas-grekas)
• bug #38375 fix using proxies with NativeHttpClient (nicolas-grekas)
• bug #38368 Fix using https with proxies (bohanyang)

v5.1.6

Changelog (symfony/http-client@v5.1.5...v5.1.6)

• bug #38248 Allow bearer token with colon (stephanvierkant)
• bug #38215 Support for CURLOPT_LOCALPORT (derrabus)
• bug #38173 don't calculate alternatives if option is auth_ntlm (ybenhssaien)
• bug #38148 fail properly when the server replies with HTTP/0.9 (nicolas-grekas)
• bug #38122 Fix Array to string conversion notice when parsing JSON error body with non-scalar detail property (emarref)
• bug #38086 with "bindto" with NativeHttpClient (nicolas-grekas)

v5.1.5

Changelog (symfony/http-client@v5.1.4...v5.1.5)

• no changes

v5.1.4

Changelog (symfony/http-client@v5.1.3...v5.1.4)

• bug #37966 Throw when the response factory callable does not return a valid response (fancyweb)
• bug #37927 fix chaining promises returned by HttplugClient (CthulhuDen)

v5.1.3

Changelog (symfony/http-client@v5.1.2...v5.1.3)

• bug #37491 Fix promise behavior in HttplugClient (brentybh)
• bug #37484 Fix http_version option usage (fancyweb)
• bug #37486 fix parsing response headers in CurlResponse (nicolas-grekas)
• bug #37440 fix casting TraceableResponse to php streams (nicolas-grekas)
• bug #37379 Support for cURL handler objects (derrabus)
• bug #37400 unset activity list when creating CurlResponse (nicolas-grekas)
• bug #37319 Convert CurlHttpClient::handlePush() to instance method (mpesari)

v5.1.2

Changelog (symfony/http-client@v5.1.1...v5.1.2)

Changelog

Sourced from symfony/http-client's changelog.

CHANGELOG

5.2.0

• added AsyncDecoratorTrait to ease processing responses without breaking async
• added support for pausing responses with a new pause_handler callable exposed as an info item
• added StreamableInterface to ease turning responses into PHP streams
• added MockResponse::getRequestMethod() and getRequestUrl() to allow inspecting which request has been sent
• added EventSourceHttpClient a Server-Sent events stream implementing the EventSource specification
• added option "extra.curl" to allow setting additional curl options in CurlHttpClient
• added RetryableHttpClient to automatically retry failed HTTP requests.
• added extra.trace_content option to TraceableHttpClient to prevent it from keeping the content in memory

5.1.0

• added NoPrivateNetworkHttpClient decorator
• added AmpHttpClient, a portable HTTP/2 implementation based on Amp
• added LoggerAwareInterface to ScopingHttpClient and TraceableHttpClient
• made HttpClient::create() return an AmpHttpClient when amphp/http-client is found but curl is not or too old

4.4.0

• added canceled to ResponseInterface::getInfo()
• added HttpClient::createForBaseUri()
• added HttplugClient with support for sync and async requests
• added max_duration option
• added support for NTLM authentication
• added StreamWrapper to cast any ResponseInterface instances to PHP streams.
• added $response->toStream() to cast responses to regular PHP streams
• made Psr18Client implement relevant PSR-17 factories and have streaming responses
• added TraceableHttpClient, HttpClientDataCollector and HttpClientPass to integrate with the web profiler
• allow enabling buffering conditionally with a Closure
• allow option "buffer" to be a stream resource
• allow arbitrary values for the "json" option

4.3.0

• added the component

Commits

• 97a6a1f Merge branch '4.4' into 5.1
• 3ead7e2 Merge branch '3.4' into 4.4
• 4fcda3c bug #38647 [HttpClient] relax auth bearer format requirements (xabbuh)
• 85b2573 [HttpClient] relax auth bearer format requirements
• bc1db73 Merge branch '4.4' into 5.1
• 64db290 skip Vulcain-based tests if the binary cannot be executed
• 1be53c0 Merge branch '4.4' into 5.1
• dc1d062 Fix tests
• 5bef2a8 Remove content-type check on toArray methods
• ad366c9 Merge branch '4.4' into 5.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)