See if we can leverage composer's outdated command

[jeffwidman]

composer supports an outdated command which we may potentially be able to leverage to see which libraries are outdated.

The output has sections for both direct and transitive deps, and it supports a --major-only flag to show only packages with major version updates.

I am not familiar enough with the Dependabot composer implementation, but I know we use composer as a library for native helpers... if we do check outdated at all, it'd be convenient if we could flip to directly calling composer cli with some of these flags.

See also:

• See if we can leverage composer 2.4's new bump feature #5719
• Upgrade composer to 2.4 #5720

[jeffwidman]

Per @driskell 's feedback here, directly calling the composer CLI has some hurdles.

But even sticking with the library, we may still be able to leverage the underlying PHP functions that are used in outdated... Or we may even already do this, I'm not really sure. 🤷‍♂️

[driskell]

Outdated would work to check what needs running through the update. But I remember from testing the “is there an update available?” part of the dependabot update was not slow at all. If you had a drupal repository with lots of packages with no updates needed it would run through super quick. It only time out if there was updates as each package update would take some time to resolve the package set after updating.

[jeffwidman]

Gotcha. So this wouldn't be a performance win, but may provide a small maintenance win... not sure. I'll leave this open in case someone want to play with it at some point... I know I'd like to do it at some point, but it's not urgent and probably won't actually happen until we have some other need to refactor the composer check.

[jeffwidman]

I looked into this a little more, and it doesn't really make sense right now to do this... maybe down the road it might, but what we've got works well enough.