-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BC: Composer 2.5.0
introduces new dependency resolution that may cause issues
#11264
Comments
2.5.0
introduces new dependency resolution that may cause issues
Might be a silly question, but I think that it probably would be important context for this behaviour. Curious because I could see this behaviour being expected if you have However, if the stability is set to |
@mallardduck I've edited the issue description specifying that Laravel applications use the |
@nunomaduro and with Composer 2.4.4 what happens? It would pick As far as I understand it, if it picks the dev version despite having prefer-stable true it is because there is no other choice than the dev version, so it's still preferable to not being able to require at all IMO.. |
You would get something like this:
I acknowledge your viewpoint and likely concur with it. However, the concern at hand is not whether the new behavior is better or worst, but rather that there is an unexpected change in behavior for those who trusted that specifying "minimum-stability": "dev" would not result in the installation of branches in draft or early stages of development. To provide context, there are currently millions of Laravel applications utilizing "minimum-stability": "dev". This means that when Laravel 10 is released in February, developers may run composer update and receive versions of their dependencies that they believe are compatible with Laravel 10, but may not be due to the new behavior potentially installing branches in draft or early stages of development. |
Sorry but nobody here ever said that. That's a misunderstanding on your/Laravel's end IMO. dev is dev, and if you set I disagree this as anywhere near a BC break, it's a convenience feature which actually resolves issues for many users. For example people on Laravel 8 right now where previously Composer would have guessed a version of the new dependency that may be too high and might require Laravel 9 already, now with Composer 2.5 it will get to the correct one. So one question is can we do anything to help? And I am not sure what would be an appropriate solution yet.. The other question is why are you still shipping with this default of min stability dev? Can that go away somehow? It's fine to opt-in to this on a per project basis if you know what you are doing but as a default it seems like it's bound to hurt people by forcing them on to the bleeding edge. |
We ship with the default of
We were not forcing them. Users still had to specify those draft or early stages of development in their
The optimal outcome for us, and for the numerous Laravel applications with |
Please don't revert to the previous behavior as the new one makes using composer require way better for deps with complex requirements. I suppose we could add some logic to reject auto-selecting a dev-stability dep. That would fix the use case for Laravel without breaking the improvement. Dunno if it's worth the added logic. |
That's another misunderstanding IMO. If you explicitly require a dev version of something Composer will implicitly add a flag for that dependency allowing it to be installed in dev (e.g. requiring
That sounds like a giant BC break/change of assumptions. I think yes as @nicolas-grekas says maybe we could reject what seems like feature branches (or just reject any non-numeric dev versions) for the purposes of the require command. I am not sure how feasible this is though. It still sounds to me like the problem is slightly overstated.. As you go from Composer 2.4 "cannot find a package that works" to 2.5 "here we found this dev package.. it may be WIP but you asked for dev so you get what you ask for". Sure it may lead to breakage if people don't test anything, but is it worse than not being able to install a package at all? |
I have an idea however it would require changes to Packagist and subsequent opt-in setting changes for projects. If projects had the ability to exclude branches from being discovered by Packagist - then they could opt-in to blocking all This option still leaves the possibility that someone who does want unstable code for testing can use the |
Regardless of the outcome in this issue, we are currently updating our Laravel skeletons to have a minimum-stability of "stable". Additionally, we are writing a blog post that recommends our users to change their minimum-stability from "dev" to "stable" to prevent potential issues in the future. |
Ok this is the best I got to mitigate the issue please take a look :) #11270 |
@Seldaek That's indeed an improvement already. |
As of Composer
^2.5.0
(#11160), it is now possible to resolve dependencies in a new way that was not previously possible. Here's an example assuming the following:By running the command:
> composer require third-party/package
The user will get:
Using version dev-feat/laravel-9-support for third-party/package
It is crucial to keep in mind that this functionality may result in confusion for the user in specific scenarios, and there is a high likelihood that it will disrupt existing CI processes that take actions — such as deployments, testing results, automatic releases — based on the resolution of those dependencies.
EDIT 1: It's worth noting that in the example given, as well as in all Laravel applications, the following settings are typically set in the composer.json file:
It is a topic of debate whether these settings should be present in Laravel applications, however, it is important to note that the example provided earlier (the third-party/package) would not have been possible when using Composer
2.4.4
.EDIT 2: Just pointing out, that even if the
dev-feat/laravel-9-support
gets merged onmaster
- the branch used to tag releases - previously composer would never resolvedev-master
while now, it installsdev-master
with the following message:Using version ^1.0@dev for third-party/package
for example.The text was updated successfully, but these errors were encountered: