New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit composer.lock and platform version #66
Conversation
While it's a very interesting approach, I don't like the idea of being locked into a specific version (say 7.0.8) if I'm running 7.1 or 7.2, it might lead to receiving "outdated" versions of the dependencies. I'm not exactly sure how else to do this neatly though. Would it help to specify the minimum patch versions in the requires instead? Perhaps a It seems like the original issue is somewhat related to this: composer/composer#7273 |
This PR is for branch 3.4. |
I don't think this is a good idea. When I run I agree that configuring the PHP version in the platform config is a good idea to make sure it matches the production system but you have to do that in your local project not in the skeleton. |
@Toflar what matters is the time to first success. You will not have "wrong" dependencies, you will have dependencies that work on 7.2 also. And the skeleton is just the starting point, which we lock here to make it stable and fast to bootstrap. |
If I were to use phpunit as dependency (which it is, because my tests depend on the public API of it), I would get an old version of phpunit though, @Toflar does have a valid point on that: https://github.com/sebastianbergmann/phpunit/blob/c1a87c0a4d9457c8ca051ef8b0b8aac0339207a9/composer.json#L24 For developers less experienced with package management/composer or development in general, this might cause more problems than it solves in performance, as they will not receive the dependencies they'd expect. |
No, that's not true. Think about a dependency that defines requires like so: "require": {
"php": ">7.0 <7.2",
} because it uses something that explicitly only works for PHP 7.0.* and 7.1.*. I would get the dependency even though it fails on my system when I have PHP 7.2.*.
This is an assumption and you don't know if that's true. Using 5.6 and 7.* would have probably served as a better example. Also, you would need to update your It's not a good idea to commit the Regarding the |
That's a skeleton. Dependencies are not random but minimal. This issue doesn't exist with any deps of the skeleton. About Which means I'm still pushing to commit this lock file. |
For newcomers that means it all installs faster now but it probably installs packages with security issues or incompatibilities. For experienced devs it means you have to run Don't get me wrong, I love your efforts on trying to make this experience better but what I think it actually does is that it prefers performance over integrity and that's not a good decision. But that's my 2c, let's see what other devs think 😄 |
impossible: we manage the lock file and we release new version of the skeleton as part of each new version of Symfony. Again, that's not random deps, but deps of the skeleton.
That's a skeleton. You WILL have to use composer very soon. Nothing new here. |
Yeah but what's the point then? I will have to use |
See above:
That is a CRITICAL feature. |
Okay, I see. I can't argue with that. That's the only benefit and I would choose integrity over that any day. But well, I tried... 😄 |
What would the performance be in the following scenarios if you have this composer.json?
|
I have no problem with it, because after starting a project the composer.json file is often modified. |
@iltar I'm not 100% sure to understood your question, but if you're wondering how performance would change by narrowing the version windows (^3.4.12), the answer is not at all: solving the dependencies is not the resource consuming part. What is resource intensive is 1. downloading the json repositories from packagist 2. keeping them in memory. And this has to be done whatever the version windows are. |
Well that means you won't get any updated packages when no new Symfony version is released. There could very well be a dependency of Symfony that does have a security issue and you're not getting it. On the same page, you won't get Doctrine DBAL 2.7, because it only works with PHP 7.1. So the Doctrine version you get won't support MariaDB 10.2… |
Not sure this will work but, did you consider to use some composer events, like For example you can ask user what version to set to composer.json before resolving dependencies:
Or at least display a notice to developers so they will be aware that installed dependencies are not optimal for their environment, and how to change it. |
What we did to avoid this issue in the deprecated Symfony Installer was to automatically remove the |
@javiereguiluz I didn't know about this, thanks for the reminder. I'm mixed on this: on one side locking the platform prevents installing e.g. Doctrine DBAL 2.7 as @aschempp noticed, on the other side removing Still, OK to remove |
By the way, I forgot to say that I like this a lot!! I agree with Nico that the first installation time is a critical metric. A minor question related to this: should we remove PS: I also hope that some day the entire PHP community organizes a joint effort to massively improve Composer's performance. It's sad that Yarn takes a few seconds to do anything and Composer takes so long even for small apps. Of course I'm not complaining about Composer's maintainers. Thanks to them for everything they do 🙏 |
First of all, making things faster is a laudable goal. I like that a lot. Now, how to achieve that (without re-introducing an installer)? Several issues raised in the PR. The first issue is about deps that are not part of "symfony/symfony". They might be updated between two releases, and the lock won't be updated (that was also the case with the Standard Edition). This issue does not really exist for the bare skeleton (this repo) as we only depend on a sub-part of symfony/symfony (+ the polyfill), but it definitely exists for the website skeleton (which depends on Twig, Swiftmailer, Doctrine, ...). The second issue is if you would have had more recent/different dependencies because your version of PHP is different locally (we compute the lock with 7.0.8, but you have PHP 7.2.4). I think this is marginal and not something we want to take into account. We can reconsider if that's really a problem later on. What's important is to not have the With that in mind, I'd like to propose something different from this PR:
By using the cron feature of Travis (where we can nicely get all the PHP versions we need), that should be completely automated. That way, people creating a project will always have the latest versions of all deps, including transitive ones. And a simple WDYT? |
That assumes they do run with the outdated PHP version (like Doctrine ORM 2.7 does not …) |
This is comparing apples and oranges. PHP needs a SAT solver because you can use one class only ever once. Javascript doesn't because you can include the same modules in multiple versions if you work with modules 😄 Optimizing it in the current state is really challenging, I've tried for many, many hours...but this is a discussion for the composer/composer repository. I just wanted to make sure we do not compare PHP's package manager with npm or yarn in this issue 😊 |
@Toflar I don't want to go off-topic too much, but just to give you some more info. Executing
It's only a guess ... but there could be massive opportunities to improve performance here at all levels: I/O, CPU, memory, etc. |
@javiereguiluz and all these should be discussed in composer/composer. |
I like that plan @fabpot :) Here is a first step: https://github.com/symfony/skeleton/tree/composer-update This computes the next version number by incrementing its 4th part, prefixed by the last tag from https://symfony.com/versions.json We now need to make it push the update + tag it somehow. |
First steps ready, Travi now creates pull requests automatically with updated composer.lock files. |
I didn't answer this: the answer is no. ctype and iconv are always enabled, except on maybe on Alpine & custom builds. We really want ppl to have a great experience from start, so that even ppl that do custom things have great perf. So the current situation is by design and desired. |
well, for ctype, it is also related to the fact that the ctype polyfill is quite new. So this might be reconsidered. But I agree about not using the iconv polyfill (thus, it is huge) |
That's not semver-compliant, as I've raised in #70 Why not increment the patch version? It's the right thing to do. |
By locking the platform version we encourage a good practice which prevents people from messing up with a prod server that has a different version than the one on the dev's machine that ran
composer up
.By committing the composer.lock file, we optimize a lot the installation process.
Here is a comparison of a
create-project
with/without the lock file:The difference of duration can be much worse on slower networks.
Process-wise, this will require us to ship a new lock file with each new Symfony version. This feels like something we can automate in the releasing process, and will give us the opportunity to synchronize skeleton's version numbers with Symfony'.
Here is a Blackfire comparison with the website-skeleton:
https://blackfire.io/profiles/compare/42c40cf5-46d0-40df-acf3-94e929482889/graph
This illustrates how much this will improve the experience of installing Symfony for newcomers.