Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Locking pacage to specific hash does not work #266

Closed
mikk150 opened this issue Aug 7, 2024 · 2 comments · Fixed by #276
Closed

Locking pacage to specific hash does not work #266

mikk150 opened this issue Aug 7, 2024 · 2 comments · Fixed by #276
Milestone

Comments

@mikk150
Copy link

mikk150 commented Aug 7, 2024

Description

If I want to lock package that is being hosted in packeton to specific commit, it states that reference is commit I locked it to, but dist zip is still referencing to newest zip that packeton knows of

To reproduce:

  1. Make composer.json file
{
  "name": "mikk/packeton-bug",
  "type": "project",
  "minimum-stability": "dev",
  "require": {
    "phpstan/phpstan-src": "1.12.x-dev#285ca8b7117a46008039adea0c4806c7d52f21dc"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://demo.packeton.org"
    }
  ]
}
  1. install this project
  2. observe in composer.lock how zipball is referencing wrong commit

Can you reproduce the bug on the Packeton demo site?

Yes

Database

MySQL

Screenshots

No response

How are you running Packeton?

Kubernetes cluster

@f3l1x
Copy link

f3l1x commented Aug 20, 2024

Hi @mikk150, we are facing same issue, but with branch-alias. Need to do composer update <package>. I think it's the same as you described.

@vtsykun
Copy link
Owner

vtsykun commented Sep 14, 2024

Hi @mikk150

I investigated the issue and this bug happens because composer has hardcoded the regex to replace the dist url commit reference in his library.

Preg::isMatch('{^https?://(?:(?:www\.)?bitbucket\.org|(api\.)?github\.com|(?:www\.)?gitlab\.com)/}i', $this->getDistUrl())

....
$this->setDistUrl(Preg::replace('{(?<=/|sha=)[a-f0-9]{40}(?=/|$)}i', $reference, $this->getDistUrl()));

https://github.com/composer/composer/blob/6778f1f79a56926e4c6131f7c30358ff2c301669/src/Composer/Package/Package.php#L645-L660

But I found a workaround for this issue, I'll change root composer metadata format to support mirrors urls.

For example

// /packages.json

{
    "packages": [],
    "notify": "/downloads/%package%",
    "notify-batch": "/downloads/",
    "metadata-changes-url": "/metadata/changes.json",
    "mirrors": [
        {
            "dist-url": "https://pkg8.loc/zipball/%package%/%reference%.%type%",
            "preferred": true
        }
    ],
    "metadata-url": "/p2/%package%.json",
    "available-packages": [  ],
    "providers-lazy-url": "/p/%package%.json"
}

And composer.lock will be looks like this

        {
            "name": "phpstan/phpstan-src",
            "version": "1.12.x-dev",
            "source": {
                "type": "git",
                "url": "https://github.com/phpstan/phpstan-src.git",
                "reference": "285ca8b7117a46008039adea0c4806c7d52f21dc"
            },
            "dist": {
                "type": "zip",
                "url": "https://pkg8.loc/zipball/phpstan/phpstan-src/2507e387c57b5b9577ee8d02226650880b731697.zip",
                "reference": "285ca8b7117a46008039adea0c4806c7d52f21dc",
                "mirrors": [
                    {
                        "url": "https://pkg8.loc/zipball/%package%/%reference%.%type%",
                        "preferred": true
                    }
                ]
            },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants