[flex] Symfony 3.x and 4.x removed from Flex endpoint. "extra.symfony.require" has no effect.

[ureimers]

Hello,

we were trying to update our Composer dependencies of our Symfony 4.4 project this morning and realized, that various Symfony components got updated to their Symfony 5.x version.

After some digging, we found out, that the typical Restricting packages listed in "symfony/symfony" to "4.4.*" message wasn't displayed any longer. And after digging into the Flex plugin's code, we found the link to the main flex json: https://raw.githubusercontent.com/symfony/recipes/flex/main/index.json

This lead us to this repo, where we found out, that yesterday, the index.json was updated. See: 4058a63

All Symfony 3.x and 4.x splits where removed, which makes composer fallback to the highest version possible.

This can easily be reproduced by calling composer create-project symfony/skeleton:"4.4.*" my_project_directory: The created project uses a variety of Symfony 5.x components, although its composer.json restricts them to 4.4.*.

This makes composer up unusable without manually restricting every Symfony component to 4.4.*.

Can someone help? How is this file generated?

[fabpot]

I know why these versions were removed: they are not maintained anymore.
@nicolas-grekas We need to find another way here :)

[ureimers]

Ah, okay. We had thought about that as well, but as the end-of-bug-fixes was already in November 2022 but the versions were removed just yesterday, we thought it must be something else.

But I see your point, I guess: "Why keep an unmaintained version in Flex' main file?" For 3.x that may hold true, but as 4.x is still receiving security fixes, I think, it should still be listed in the file. And after its EOL you'd still want it to be able to fix/limit its version number. ...gets trickier, the more I think about it.

[jakubtobiasz]

Hi!
In case you need a hotfix until the issue has been resolved:

    "extra": {
         ...
+        "symfony": {
+            "endpoint": [
+             "https://raw.githubusercontent.com/symfony/recipes/c8d90298241f176a261dadc4814d7058415a4c1f/index.json"
+            ]
        }
    },

It sets the Flex endpoint to the version when it worked. Of course, it should be replaced once the bug fixed, but for now, it does the job :).

[jordisala1991]

But 4.4 is supported until november right? At least for security issues.

[ureimers]

@jordisala1991 correct.

But 4.4 is supported until november right? At least for security issues.

Even after that, versions that are no longer supported should still be working with composer. You'd just get the most current old version of each Symfony component ;-)

[fabpot]

I've just fixed it.