Update dependency amphp/http-server to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
amphp/http-server	^2.1 → ^3.0

---

Release Notes

amphp/http-server (amphp/http-server)

v3.4.4: 3.4.4

Compare Source

What's Changed

Fixed "MadeYouReset" HTTP/2 DoS attack vector described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506.

Stream reset protection has been refactored to account for the number of reset streams within a sliding time window. Note that your application must expose HTTP/2 connections directly to be affected by this vulnerability. Servers behind a proxy using HTTP/1.x such as nginx are not affected.

Full Changelog: amphp/http-server@v3.4.3...v3.4.4

v3.4.3: 3.4.3

Compare Source

What's Changed

• Avoid hanging requests in case a request body is closed prematurely by @​danog in #​380
• Fix parsing of raw ipv6 address in host header by @​luzrain in #​378

New Contributors

• @​danog made their first contribution in #​380

Full Changelog: amphp/http-server@v3.4.2...v3.4.3

v3.4.2: 3.4.2

Compare Source

What's Changed

• Forward Cancellation in ConnectionLimitingServerSocket by @​Fneufneu in #​377

New Contributors

• @​Fneufneu made their first contribution in #​377

Full Changelog: amphp/http-server@v3.4.1...v3.4.2

v3.4.1: 3.4.1

Compare Source

What's Changed

• Fixed #​376, removing calls to deprecated methods in league/uri, dropping support for league/uri@6.x
• Fixed #​367 and #​370 where a pending request could cause the server to hang during shutdown. Pending request reads are now cancelled when shutting down the HTTP/1.1 driver.

Full Changelog: amphp/http-server@v3.4.0...v3.4.1

v3.4.0: 3.4.0

Compare Source

What's Changed

• Fix method property in logger context by @​luzrain in #​373
• Add ExceptionHandler interface and middleware by @​trowski in #​375
• Add _ to host validation by @​maximal in #​372
• Fixed issue #​371, suspending the connection or stream timeout until the request handler returns a response.

New Contributors

• @​luzrain made their first contribution in #​373
• @​maximal made their first contribution in #​372

Full Changelog: amphp/http-server@v3.3.1...v3.4.0

v3.3.1: 3.3.1

Compare Source

What's Changed

• Made implicit nullable types explicit to avoid deprecation notice in PHP 8.4
• Typo in README.md by @​tncrazvan in #​361

New Contributors

• @​tncrazvan made their first contribution in #​361

Full Changelog: amphp/http-server@v3.3.0...v3.3.1

v3.3.0: 3.3.0

Compare Source

What's Changed

• RequestBody now implements Stringable so the entire request body can be buffered by simply casting the object to a string (note the request body length limits still apply).
• Fixed the HTTP/2 initial window size being potentially larger than the client would accept.
• Fixed incrementing the HTTP/2 window size if the body size limit is very large.
• ClientException now extends Amp\ByteStream\StreamException to avoid violating the ReadableStream interface by throwing a non-StreamException from a stream method.

New Contributors

• @​cwhite92 made their first contribution in #​353
• @​foremtehan made their first contribution in #​356

Full Changelog: amphp/http-server@v3.2.0...v3.3.0

v3.2.0: 3.2.0

Compare Source

• Allowed league/uri@v7.1 and psr/message@v2
• Added previous param to HttpErrorException constructor

Full Changelog: amphp/http-server@v3.1.0...v3.2.0

v3.1.0: 3.1.0

Compare Source

What's Changed

• Add HttpErrorException by @​kelunik in #​352

Full Changelog: amphp/http-server@v3.0.0...v3.1.0

v3.0.0: 3.0.0

Compare Source

Stable release compatible with AMPHP v3 and fibers! 🎉

As with other libraries compatible with AMPHP v3, most cases of parameters or returns of Promise<ResolutionType> have been replaced with ResolutionType.

The RequestHandler and Middleware interfaces along with the Request and Response objects are largely unchanged with the exception of replacing Promise objects with the resolution type.

• The return type of RequestHandler::handleRequest() and Middleware::handleRequest() has changed from Promise<Response> to Response.
• Request and response bodies must be an instance of ReadableStream or a string (note the interface name change in amphp/byte-stream). null will no longer be cast to an empty body.

Creating an HTTP Server

Initializing a server has changed significantly.

The Options object has been removed, replaced by constructor parameters on various components. PHP 8.0's named parameters allows only defining the parameters you wish to override without the need to define those you do not wish to change.

HttpServer is now an interface. ServerObserver has been removed and replaced with onStart() and onStop() methods on the HttpServer interface. SocketHttpServer is the provided default implementation of HttpServer. The methods getLogger(), getRequestHandler(), and getErrorHandler() are no longer part of HttpServer to avoid the interface being used as a service-locator.

In addition to the constructor, SocketHttpServer provides two convenience static constructors for common use-cases.

• createForDirectAccess() — Creates an instance appropriate for direct access by the public
• createForBehindProxy() — Creates an instance appropriate for use when behind a proxy service such as nginx'

Listening interfaces are provided to SocketHttpServer using the expose() method. The RequestHandler and ErrorHandler instances are not provided to the constructor, instead being provided to the SocketHttpServer::start() method. As these objects are provided after constructing the HttpServer instance, RequestHandlers may now require an instance of HttpServer in their constructors to attach start and stop handlers.

SocketServer instances are then created by SocketHttpServer using an instance of SocketServerFactory passed to the constructor. This allows server bind contexts to be initialized based on the provided (or default) HttpDriverFactory.

Below is the "Hello, World!" example from examples/hello-world.php as an example of initializing a SocketHttpServer instance.

<?php

require dirname(__DIR__) . "/vendor/autoload.php";

use Amp\ByteStream;
use Amp\Http\HttpStatus;
use Amp\Http\Server\DefaultErrorHandler;
use Amp\Http\Server\Driver\SocketClientFactory;
use Amp\Http\Server\Request;
use Amp\Http\Server\RequestHandler;
use Amp\Http\Server\Response;
use Amp\Http\Server\SocketHttpServer;
use Amp\Log\ConsoleFormatter;
use Amp\Log\StreamHandler;
use Amp\Socket;
use Monolog\Logger;
use Monolog\Processor\PsrLogMessageProcessor;
use function Amp\trapSignal;

// Run this script, then visit http://localhost:1337/ or https://localhost:1338/ in your browser.

$cert = new Socket\Certificate(__DIR__ . '/../test/server.pem');

$context = (new Socket\BindContext)
        ->withTlsContext((new Socket\ServerTlsContext)
                ->withDefaultCertificate($cert));

$logHandler = new StreamHandler(ByteStream\getStdout());
$logHandler->pushProcessor(new PsrLogMessageProcessor());
$logHandler->setFormatter(new ConsoleFormatter());
$logger = new Logger('server');
$logger->pushHandler($logHandler);
$logger->useLoggingLoopDetection(false);

$server = new SocketHttpServer(
    $logger,
    new Socket\ResourceServerSocketFactory(),
    new SocketClientFactory($logger),
);

$server->expose("0.0.0.0:1337");
$server->expose("[::]:1337");
$server->expose("0.0.0.0:1338", $context);
$server->expose("[::]:1338", $context);

$server->start(new class implements RequestHandler {
    public function handleRequest(Request $request): Response
    {
        return new Response(
            status: HttpStatus::OK,
            headers: ["content-type" => "text/plain; charset=utf-8"],
            body: "Hello, World!",
        );
    }
}, new DefaultErrorHandler());

// Await a termination signal to be received.
$signal = trapSignal([SIGHUP, SIGINT, SIGQUIT, SIGTERM]);

$logger->info(sprintf("Received signal %d, stopping HTTP server", $signal));

$server->stop();

New Middlewares

• Added ConcurrencyLimitingMiddleware to limit the number of requests which may be concurrently handled by the server.
• Added ForwardedMiddleware and associated Forwarded class and ForwardedHeaderType enum. This middleware parses either Forwarded or X-Forwarded-For headers to determine the original client address when used behind a proxy supporting these headers.
• Added AllowedMethodsMiddleware which limits the allowed HTTP verbs used by requests. This middleware is used automatically by SocketHttpServer. The allowed methods can be specified through a constructor parameter, using null to disable the middleware.

HTTP Drivers

Generally consumers of this library need not worry about these changes unless they implemented their own HTTP driver or interacted with the Client interface beyond grabbing client metadata.

• Client is a significantly thinner interface, consisting of only metadata about the client connection.
• • HttpDriver instances now handle responding to requests instead of the Client object.
• HttpDriver::setup() has been replaced with HttpDriver::handleClient. Rather than returning a Generator parser which is fed data read from the client, this method is instead expected to read/write data from the provided streams itself.
• HttpDriver::write() has been removed, as writing to the client should be handled internally within the driver.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.