Magento 2.4.7-p8+ Installation Blocked? PHP 8.3 & Composer Conflicts Solved

Urgent Alert: Magento 2.4.7-p8+ Installation Blocked by PHP 8.3 & Composer Conflicts

Magento 2.4.7-p8+ was intended to bring enhanced stability and security, but a critical issue has emerged, preventing fresh installations and updates on newer PHP versions. This community insight from Shopping Mover dives into GitHub Issue #40539, where users are reporting complete blockage when attempting to install Magento Open Source 2.4.7-p8+ (and even 2.4.8-p3) via Composer on PHP 8.3 and even PHP 8.2 environments. This is a significant concern for developers and merchants aiming for the latest Magento releases and modern PHP stacks.

The Core Problem: Dependency Conflicts and Security Advisories

The primary author, Den4ik, meticulously outlined the multi-faceted problem:

• PHP 8.3 Incompatibility: Despite Magento 2.4.7 officially supporting PHP 8.3, core components like magento/framework (103.0.x) and several Payment Services modules (e.g., magento/module-payment-services-base, magento/services-connector) explicitly restrict PHP versions to ~8.1.0||~8.2.0. This creates an immediate and hard block for PHP 8.3 users.
• Critical Security Advisory on firebase/php-jwt: A major hurdle on both PHP 8.2 and 8.3 is the dependency on firebase/php-jwt ^6.0.0. Composer blocks these versions due to a security advisory (PKSA-y2cr-5h3j-g3ys), which points to weak cryptography in JWT handling. This package is a requirement for magento/services-connector, effectively halting installations.
• Additional Module Conflicts: A conflict with paypal/module-braintree 4.7.0 within the adobe-commerce/os-extensions-metapackage ~1.0 further complicates the installation process, particularly on PHP 8.3.

The reproduction steps are straightforward, leading to immediate dependency resolution failures:

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition . 2.4.7-p8

Composer's output clearly illustrates the conflict:

- magento/framework[...] require php ~8.1.0||~8.2.0 -> your php version (8.3.24) does not satisfy that requirement.
- magento/services-connector[1.3.5, ..., 1.3.6] require firebase/php-jwt ^6.0.0 -> ... affected by "PKSA-y2cr-5h3j-g3ys"

Community Confirmation and Actionable Solutions

The issue quickly gained traction, with other community members confirming its widespread nature. User likearocket reported similar errors on a 2.4.8-p3 site running PHP 8.4, indicating the problem extends beyond the initially reported versions and PHP environments. Damienwebdev further corroborated the bug, providing crucial workarounds:

• Composer Version Rollback: A temporary fix involves backporting your Composer version to 2.8.12. This might bypass some of the stricter dependency resolution checks introduced in newer Composer versions.
• Update magento/services-connector: A more direct solution is to update the magento/services-connector module to version 1.3.8. This version likely addresses the underlying dependency on the vulnerable firebase/php-jwt versions.
• MageOS Mirror Fix: For those utilizing the MageOS mirror, an update (https://github.com/mage-os/generate-mirror-repo-js/pull/290) was implemented to ensure magento/services-connector:1.3.8 is available, resolving potential "missing package" errors.

While a clean workaround for PHP 8.3 without risking compatibility was initially elusive, the community's input, particularly the update to magento/services-connector:1.3.8, offers a more robust path forward. For PHP 8.2 users, temporarily ignoring the audit with composer config audit.ignore "PKSA-y2cr-5h3j-g3ys" can allow installation, though it's crucial to understand the security implications of such a bypass.

Shopping Mover's Take

This GitHub issue highlights a critical challenge for Magento users seeking to adopt the latest platform versions and modern PHP environments. The swift community response, identifying root causes and proposing actionable solutions, underscores the power of open-source collaboration. For anyone planning a Magento 2.4.7-p8+ or 2.4.8-p3 installation or upgrade, these insights are invaluable. Staying updated on such issues and their workarounds is paramount for a smooth migration or development process.