Check meta-data deserialization capabilities in PHP 8

[ohader]

• php/php-src@0c238ed
• [RFC] Only unserialize Phar metadata when getMetadata() is called php/php-src#5855

Also, change the signature from getMetadata()
to getMetadata(array $unserialize_options = []).
Start throwing earlier if setMetadata() is called and serialization threw.

Scope for this package, craft a bunch of exploits for PHP 8 and see whether it works.
In case it does, this package probably could "hand over" Phar handling to native PHP 8 then...

[andypost]

Other option is using class aliases for different versions of PHP(

[alexpott]

Given that this library is not responsible for registering itself as a stream wrapper I think it's up to the calling code to decide what to do for PHP 8 - i.e. to not register the wrapper. If we want projects to be able to be both PHP 7 and PHP 8 compatible with the same code base then we need to allow this to be in a composer.json for a project that supports both of them.

#65 does to quickish thing of allowing install on PHP 8.0. The other option would be to release a new release which has the same API but does nothing other than passthrough to the PHP streamwrapper. But I think it's better for projects like Drupal to only register the wrapper when running on PHP 7.

[ohader]

Referenced commit adds basic check against meta-data deserialization in PHP 8.x. I agree that this library should not add more magic on checking PHP versions - enabling or disabling Phar stream wrapper has do be done individually by corresponding projects and integrations.