Remove leftover of wikimedia/composer-merge-plugin

LGTM

I reviewed this by applying the patch and then running:
COMPOSER_ROOT_VERSION=9.1.x-dev composer update drupal/core*

The only change was this:

-            "bin": [
-                "bin/composer"
-            ],
             "type": "library",

...Which happens seemingly randomly in various patches and releases, so out of scope and not a concern.

This looks good, but cspell is preventing me from committing it. 😂 We need to make cspell skip these files...

CSPELL: checking all files
/Users/xjm/git/maintainer/composer.json:94:10 - Unknown word (phpcbf)
/Users/xjm/git/maintainer/composer.json:94:20 - Unknown word (phpcbf)
/Users/xjm/git/maintainer/composer.lock:21:18 - Unknown word (shasum)
/Users/xjm/git/maintainer/composer.lock:73:18 - Unknown word (shasum)
/Users/xjm/git/maintainer/composer.lock:79:18 - Unknown word (roundcube)
/Users/xjm/git/maintainer/composer.lock:80:18 - Unknown word (shama)
/Users/xjm/git/maintainer/composer.lock:116:18 - Unknown word (Dolibarr)

(And the list goes on).

Filed #3154594: CSpell is not skipping composer.json and composer.lock, which will prevent committing dependency updates or tagging releases unless --no-verify is used.

Alright, committed to 9.1.x by temporarily commenting out all the cspell stuff locally in our pre-commit hook (because I wanted the other checks to run).

I was surprised that this would cherry-pick cleanly to 9.0.x and pass tests, because at least the versions should be different and therefore the content would theoretically have a different hash?

I tried this:

git checkout 9.0.x
git pull
git cherry-pick -x 9.0.x # Thanks @larowlan
rm -rf vendor
composer install
COMPOSER_ROOT_VERSION="9.0.x-dev" composer update drupal/core*

This resulted in the following diff:

diff --git a/composer.lock b/composer.lock
index 240193b8d3..be36ddb9da 100644
--- a/composer.lock
+++ b/composer.lock
@@ -461,7 +461,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "e3d324da27c1060f5f9982ee20aa7f9845303fd2"
+                "reference": "5bd6798a64831fa08a343a14a0ee47127c4cb99f"
             },
             "require": {
                 "asm89/stack-cors": "^1.1",
@@ -697,7 +697,10 @@
             "license": [
                 "GPL-2.0-or-later"
             ],
-            "description": "Drupal is an open source content management platform powering millions of websites and applications."
+            "description": "Drupal is an open source content management platform powering millions of websites and applications.",
+            "transport-options": {
+                "relative": true
+            }
         },
         {
             "name": "drupal/core-project-message",
@@ -705,7 +708,7 @@
             "dist": {
                 "type": "path",
                 "url": "composer/Plugin/ProjectMessage",
-                "reference": "cad5c2853f5b733663dcc1be328f80ee233acc30"
+                "reference": "b4efdbe26634b41a1b89e4f3770a8074769088a6"
             },
             "require": {
                 "composer-plugin-api": "^1.1 || ^2",
@@ -727,7 +730,10 @@
             "homepage": "https://www.drupal.org/project/drupal",
             "keywords": [
                 "drupal"
-            ]
+            ],
+            "transport-options": {
+                "relative": true
+            }
         },
         {
             "name": "drupal/core-vendor-hardening",
@@ -735,7 +741,7 @@
             "dist": {
                 "type": "path",
                 "url": "composer/Plugin/VendorHardening",
-                "reference": "3732b3fa7c1db63f41bc72d847793ea8aebf7735"
+                "reference": "d54f0b3cc8b4237f3a41a0860a808db242f9da9e"
             },
             "require": {
                 "composer-plugin-api": "^1.1 || ^2",
@@ -757,7 +763,10 @@
             "homepage": "https://www.drupal.org/project/drupal",
             "keywords": [
                 "drupal"
-            ]
+            ],
+            "transport-options": {
+                "relative": true
+            }
         },
         {
             "name": "egulias/email-validator",
@@ -6568,5 +6577,6 @@
     "prefer-stable": true,
     "prefer-lowest": false,
     "platform": [],
-    "platform-dev": []
+    "platform-dev": [],
+    "plugin-api-version": "1.1.0"
 }

All that looks an awful lot like the out-of-scope fluff that got added when we fixed #3153677: Lockfile hash is wrong in 8.9.x since 8.9.1, causing test failures on PHP 7.3+, but at least the content-hash isn't changing. So it does look like this is an OK cherry-pick to 9.0.x. I guess we need a separate followup issue for the fluff.

Meanwhile, setting PTBP for an 8.9.x version. Thanks!

8.9 patch looks good. Although I'm concerned funding additions may add major risk of conflicts, but probably best to just quickly get it in then.

Hmm, interesting. I think we should instead take care of the extra stuff in an 8.9.x version of #3154611: Update composer.lock for 9.0.x and 8.9.x based on Composer 1.10 output, and postpone the backport on that. Otherwise there's weird overlapping scope.

Duplicate of #3135621: Remove wikimedia/composer-merge-plugin remnants from composer.json :(

Back to NR now that that is in.

Oh and making sure @longwave is credited per #15. Also added credit for Nick for making me think about the downsides of mixing up these two different kinds of changes. Thanks!

Looks good.
I will note that does have the random removal of bin/composer lines.

Committed 8186b23 and pushed to 8.9.x. Thanks!