Issue #3551511: Allow paragonie/constant_time_encoding ^3.0 in 8.x-1.x (!162) · Merge requests · project / tfa

Problem/Motivation

Projects based on drupal/recommended-project with Drupal core 10.2.0 or later require paragonie/constant_time_encoding:^3.0. The current tfa 8.x-1.x constraint (^1 || ^2) prevents upgrading to 1.12.0 in those projects. Composer often silently skips the update; the conflict is revealed by composer why-not drupal/tfa 1.12.0 or a --dry-run require.

Proposed resolution

Widen paragonie/constant_time_encoding to ^1.0 || ^2.0 || ^3.0. This matches the API used by TFA (Encoding/Base32) and is compatible with v3.

Steps to reproduce

Use a project based on drupal/recommended-project with Drupal core 10.2.0 or later.
Ensure the project requires paragonie/constant_time_encoding:^3.0.
Run composer update drupal/tfa -W.
Observe TFA 1.12.0 does not apply; composer why-not shows the v3 constraint conflict.

Justification

The Encoding class and methods used by TFA are unchanged in v3.
Manual testing confirms compatibility with v3 (TOTP works as expected).
This change unblocks Composer updates and avoids unnecessary conflicts.

Related issues

https://www.drupal.org/project/tfa/issues/3498141

Issue #3551511: Allow paragonie/constant_time_encoding ^3.0 in 8.x-1.x

Problem/Motivation

Proposed resolution

Steps to reproduce

Justification

Related issues

Merge request reports