DX: lock SCA tools for PR builds #6217
Conversation
| "platform-overrides": { | ||
| "php": "7.4" | ||
| }, | ||
| "plugin-api-version": "2.1.0" |
There was a problem hiding this comment.
i don't see any value in analysing the lock file on this moment and it doesn't bother anyone but you
There was a problem hiding this comment.
it doesn't bother anyone but you
I thought you were better than this... In fact I was hoping you would update your Composer and discover by yourself this new option of Composer 2.2 and update composer.json accordingly.
There was a problem hiding this comment.
you quoted part of my line. let me rephrase (the whole line) - I'm not aware of benefits for doing so, if any - you didn't bother to mention any initially, and everyone else already approved the PR.
You want to be picky? tell ppl what to update.
You want to share some interesting idea? give the reasoning from start - it works way better ;)
There was a problem hiding this comment.
tell ppl what to update.
I did 
Update your Composer :)
Well, it will stop working in July, so I guess no need to update it right now :P
it won't lock the deep-deps (dependencies of dependency) |
keradus
force-pushed
the
dev-tools-lock
branch
from
1982cf7
to
e9a48fa
Compare
Obviously, but why do we need to lock them? If some dependency needs to be locked that mean it should be explicitly added to |
|
I wouldn't share that claim, myself. |
|
Thank you @keradus. |
We recently had an issue that master started to fail because on an update of PHPStan, starting detecting new issues.
To avoid confusion for contributors, we suggested on maintainers meeting to lock the dev-tools and updated them occasionally (eg once per Q). Same time, for master build, that is observed mostly by maintainers, we can still look for bleeding-edge version of SCA tools