Skip to content

[PAR-778] Bump integration-core to ~5.3.0#19

Merged
mescalantea merged 1 commit into
masterfrom
chore/PAR-778-bump-core-5.3
May 22, 2026
Merged

[PAR-778] Bump integration-core to ~5.3.0#19
mescalantea merged 1 commit into
masterfrom
chore/PAR-778-bump-core-5.3

Conversation

@mescalantea
Copy link
Copy Markdown
Contributor

@mescalantea mescalantea commented May 22, 2026

What is the goal?

Bumps sequra/integration-core from ~5.2.0 to ~5.3.0. v5.3.0 introduces an optional StoreUrlProviderInterface (sequra/integration-core#62) that lets integrations expose a cheap getStoreUrl() lookup for the webhook HMAC payload, avoiding the cost of building a full StoreInfo on every register, delete and inbound webhook validation.

The bump is fully backwards-compatible: StoreUrlProviderInterface is a new optional companion to StoreInfoServiceInterface, and StoreInfoServiceInterface itself is unchanged — no integrator is forced to change anything to upgrade.

References

How is it being implemented?

  • Composer constraint bumped from ~5.2.0 to ~5.3.0.
  • composer.lock refreshed via composer update sequra/integration-core --with-dependencies. Only the core itself moved (v5.2.0 → v5.3.0); no transitive churn.
  • No middleware src/ change. The new interface is a downstream integrator-level opt-in; the middleware itself does not provide a StoreInfoServiceInterface implementation, so nothing here needs to opt in.

Caveats

  • Integrators implementing StoreInfoServiceInterface do not need to change anything to upgrade — the new interface is pure opt-in.
  • Integrators whose getStoreInfo() is expensive (live API calls to populate fields the HMAC does not use) can adopt by adding implements StoreUrlProviderInterface alongside their existing StoreInfoServiceInterface and returning a cheap storeUrl string. Signatures are byte-identical across both paths, so adoption never invalidates a previously-issued webhook URL.

Does it affect (changes or update) any sensitive data?

No — this change only touches composer.json / composer.lock. The HMAC payload, signature secret and inbound webhook validation behaviour upstream are unchanged.

How is it tested?

  • composer validate --strict passes after the bump.
  • vendor/bin/phpunit was not re-run locally (the local test env is not bootstrapped — pre-existing limitation unchanged by this PR). The middleware src/ is untouched, so existing tests are not affected.

How is it going to be deployed?

Standard deployment. Tag the next minor (v3.2.0) once merged; downstream integrators pick it up via their existing ^3.0 constraints on sequra/middleware.

@mescalantea
[PAR-778] Bump integration-core to ~5.3.0
d849b91 
Picks up StoreUrlProviderInterface (sequra/integration-core#62), which
lets integrations expose a cheap storeUrl lookup for the webhook HMAC
payload instead of paying the cost of building a full StoreInfo on every
register, delete and inbound webhook validation. Fully backwards-
compatible: existing integrations keep working unchanged via the legacy
getStoreInfo() path.
@mescalantea mescalantea requested a review from a team as a code owner May 22, 2026 15:20
@mescalantea mescalantea requested review from m1k3lm and removed request for a team May 22, 2026 15:20
@mescalantea mescalantea merged commit 9387033 into master May 22, 2026
4 checks passed
@mescalantea mescalantea deleted the chore/PAR-778-bump-core-5.3 branch May 22, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m1k3lm m1k3lm Awaiting requested review from m1k3lm m1k3lm is a code owner automatically assigned from sequra/partnerships

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mescalantea