Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"extra.symfony.require" not enforced anymore #65

Open
darthf1 opened this issue Dec 15, 2023 · 5 comments
Open

"extra.symfony.require" not enforced anymore #65

darthf1 opened this issue Dec 15, 2023 · 5 comments

Comments

@darthf1
Copy link

darthf1 commented Dec 15, 2023
edited
Loading

Hi!

I'm currently on SF 6.4.*, but noticed a lot of indirect SF 7 dependencies were installed. I have the following in my composer.json:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php/flex/main/index.json",
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },

When I go back to the default settings, without custom endpoints:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*"
        }
    },

And I run php composer update "symfony/*", I get:

Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.4.*"
Updating dependencies
Lock file operations: 0 installs, 20 updates, 0 removals
  - Downgrading symfony/cache (v7.0.0 => v6.4.0)
  - Downgrading symfony/clock (v7.0.0 => v6.4.0)
  - Downgrading symfony/doctrine-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/error-handler (v7.0.0 => v6.4.0)
  - Downgrading symfony/filesystem (v7.0.0 => v6.4.0)
  - Downgrading symfony/finder (v7.0.0 => v6.4.0)
  - Downgrading symfony/intl (v7.0.0 => v6.4.0)
  - Downgrading symfony/messenger (v7.0.1 => v6.4.0)
  - Downgrading symfony/mime (v7.0.0 => v6.4.0)
  - Downgrading symfony/monolog-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/options-resolver (v7.0.0 => v6.4.0)
  - Downgrading symfony/password-hasher (v7.0.0 => v6.4.0)
  - Downgrading symfony/psr-http-message-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/security-core (v7.0.1 => v6.4.0)
  - Downgrading symfony/security-csrf (v7.0.1 => v6.4.0)
  - Downgrading symfony/security-http (v7.0.1 => v6.4.0)
  - Downgrading symfony/stopwatch (v7.0.0 => v6.4.0)
  - Downgrading symfony/string (v7.0.0 => v6.4.0)
  - Downgrading symfony/var-dumper (v7.0.0 => v6.4.0)
  - Downgrading symfony/var-exporter (v7.0.1 => v6.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 20 updates, 0 removals
  - Downgrading symfony/string (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/var-dumper (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/error-handler (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/doctrine-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/var-exporter (v7.0.1 => v6.4.1): Extracting archive
  - Downgrading symfony/filesystem (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/finder (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/cache (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/stopwatch (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/password-hasher (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/security-core (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/security-http (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/security-csrf (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/clock (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/options-resolver (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/psr-http-message-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/messenger (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/mime (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/monolog-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/intl (v7.0.0 => v6.4.0): Extracting archive
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Generating autoload files
168 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
infection/extension-installer: No extensions found
phpstan/extension-installer: Extensions installed

What about running composer global require symfony/thanks && composer thanks now?
This will spread some 💖  by sending a ★  to the GitHub repositories of your fellow package maintainers.

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]

No security vulnerability advisories found.

When I add back the custom endspoints as stated in this repositories readme:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php/flex/main/index.json",
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },

And I run php composer update "symfony/*", indirect dependencies are again updated to SF7:

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 20 updates, 0 removals
  - Upgrading symfony/cache (v6.4.0 => v7.0.0)
  - Upgrading symfony/clock (v6.4.0 => v7.0.0)
  - Upgrading symfony/doctrine-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/error-handler (v6.4.0 => v7.0.0)
  - Upgrading symfony/filesystem (v6.4.0 => v7.0.0)
  - Upgrading symfony/finder (v6.4.0 => v7.0.0)
  - Upgrading symfony/intl (v6.4.0 => v7.0.0)
  - Upgrading symfony/messenger (v6.4.0 => v7.0.1)
  - Upgrading symfony/mime (v6.4.0 => v7.0.0)
  - Upgrading symfony/monolog-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/options-resolver (v6.4.0 => v7.0.0)
  - Upgrading symfony/password-hasher (v6.4.0 => v7.0.0)
  - Upgrading symfony/psr-http-message-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/security-core (v6.4.0 => v7.0.1)
  - Upgrading symfony/security-csrf (v6.4.0 => v7.0.1)
  - Upgrading symfony/security-http (v6.4.0 => v7.0.1)
  - Upgrading symfony/stopwatch (v6.4.0 => v7.0.0)
  - Upgrading symfony/string (v6.4.0 => v7.0.0)
  - Upgrading symfony/var-dumper (v6.4.0 => v7.0.0)
  - Upgrading symfony/var-exporter (v6.4.1 => v7.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 20 updates, 0 removals
  - Upgrading symfony/string (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/var-dumper (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/error-handler (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/doctrine-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/var-exporter (v6.4.1 => v7.0.1): Extracting archive
  - Upgrading symfony/filesystem (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/finder (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/cache (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/stopwatch (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/password-hasher (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/security-core (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/security-http (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/security-csrf (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/clock (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/options-resolver (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/psr-http-message-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/messenger (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/mime (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/monolog-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/intl (v6.4.0 => v7.0.0): Extracting archive
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Generating autoload files
168 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
infection/extension-installer: No extensions found
phpstan/extension-installer: Extensions installed

What about running composer global require symfony/thanks && composer thanks now?
This will spread some 💖  by sending a ★  to the GitHub repositories of your fellow package maintainers.

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]

No security vulnerability advisories found.

When default and/or the contrib endpoints are specified, the dependencies are also downgraded to 6.4.*.

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },
@alexander-schranz
Copy link
Member

The recipe repositories do not provide any logic. The logic would be in symfony/flex project if false version are installed.

@nicolas-grekas do you have an idea why this appears?

@darthf1 does it only appear when custom recipes endpoints are configured?

@darthf1
Copy link
Author

darthf1 commented Dec 15, 2023
edited
Loading

The recipe repositories do not provide any logic. The logic would be in symfony/flex project if false version are installed.

Ah ok, makes absolute sense!

@darthf1 does it only appear when custom recipes endpoints are configured?

Yes. I updated the first post with more examples. Without custom recipes I'm staying on 6.4.x. With the non-contrib custom recipe, dependencies are updated to 7.0.x

@alexander-schranz
Copy link
Member

Does a second run of composer update changes anything or removing composer.lock, symfony.lock and vendor? Also make sure that you use the latest version of symfony/flex, maybe its an older bug which was already fixed.

@darthf1
Copy link
Author

darthf1 commented Dec 15, 2023

Does a second run of composer update changes anything

No (I ran composer update "symfony/*" multiple times)

or removing composer.lock, symfony.lock and vendor?

No (I removed the files and folder you mentioned, and ran composer install)

Also make sure that you use the latest version of symfony/flex, maybe its an older bug which was already fixed.

Im on 2.4.2 which is the latest.

@nicolas-grekas
Copy link

Flex relies on the versions.slits entries to decide which packages the restriction applies to. Since 7.0 is not in this repo, flex doesn't enforce the restriction.

This might be something to improve either on flex' side (it could account for the data in the stack of endpoints) or in this repo. I don't remember the exact rules that flex uses for merging endpoints so maybe there's already a way to rely on the default endpoint (by not listing this entry here?). The for-sure fix is to sync the entries with upstream (but it'd be nice to find a way that doesn't require updating this repo everytime a new Symfony release is made).

Let me know your findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nicolas-grekas @alexander-schranz @darthf1