New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DX: lock SCA tools for PR builds #6217
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd vote for removing ^
from dev-tools/composer.json
instead of having dev-tools/composer.lock
committed, 4k lines of unnecessary noise.
"platform-overrides": { | ||
"php": "7.4" | ||
}, | ||
"plugin-api-version": "2.1.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update your Composer :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@keradus ping ☝🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't see any value in analysing the lock file on this moment and it doesn't bother anyone but you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it doesn't bother anyone but you
I thought you were better than this... In fact I was hoping you would update your Composer and discover by yourself this new option of Composer 2.2 and update composer.json
accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you quoted part of my line. let me rephrase (the whole line) - I'm not aware of benefits for doing so, if any - you didn't bother to mention any initially, and everyone else already approved the PR.
You want to be picky? tell ppl what to update.
You want to share some interesting idea? give the reasoning from start - it works way better ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tell ppl what to update.
I did
Update your Composer :)
Well, it will stop working in July, so I guess no need to update it right now :P
it won't lock the deep-deps (dependencies of dependency) |
1982cf7
to
e9a48fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Obviously, but why do we need to lock them? If some dependency needs to be locked that mean it should be explicitly added to |
I wouldn't share that claim, myself. |
Thank you @keradus. |
We recently had an issue that master started to fail because on an update of PHPStan, starting detecting new issues.
To avoid confusion for contributors, we suggested on maintainers meeting to lock the dev-tools and updated them occasionally (eg once per Q). Same time, for master build, that is observed mostly by maintainers, we can still look for bleeding-edge version of SCA tools