Well, it would break the backward compatibility, so we should do this only when a new major version is released

I don't agree. Moreover, allowing PSR-7 v3 would cause real issues. If people really want to use super old insecure code, composer will still let them do it by resolving an older version of your library, or by pretending their older version of guzzle is a newer version using the as syntax.

It is very common for people to bump versions of dependencies in patch and minor releases across the PHP ecosystem, both among packages that claim they follow semver, but do a bad job, and those that actually follow it well.

Ok, let's try it.
Thanks for PR.

FYI there are now some additional CVEs relevant to guzzlehttp/psr7 that I published last week. There is no patch for the dead 1.x line. I don't think we need to bother incrementing the versions at this time though, because the code paths are not reachable from this library. 1.x is EOL as of 2024-06-30. The CVEs are:

• GHSA-34xg-wgjx-8xph
• GHSA-hq7v-mx3g-29hw