Problem/Motivation

The current composer.json for drupal/tfa restricts paragonie/constant_time_encoding to ^1.0 || ^2.0. This causes Composer conflicts in projects that already require v3, such as those based on drupal/recommended-project with Drupal core 10.2.0 or later. The conflict prevents installation of tfa 1.12.0, but Composer does not report this directly — the update is silently skipped unless you run composer why-not or composer require --dry-run.

Proposed resolution

Update the version constraint to:

"paragonie/constant_time_encoding": "^1.0 || ^2.0 || ^3.0"

This allows compatibility with modern Drupal setups while preserving support for older PHP versions.

Steps to reproduce

  1. Use a project based on drupal/recommended-project with Drupal core 10.2.0 or later
  2. Ensure the project requires paragonie/constant_time_encoding:^3.0
  3. Run composer update drupal/tfa --with-all-dependencies
  4. Observe that the update to tfa 1.12.0 is silently skipped
  5. Run composer why-not drupal/tfa 1.12.0 or composer require "drupal/tfa:1.12.0" --dry-run to reveal the version conflict

Justification

  • The Encoding class and methods used by tfa are unchanged in v3
  • Manual inspection confirms compatibility
  • This change unblocks Composer updates and avoids unnecessary conflicts

Related issues

  • #3498141: Previous Composer conflict due to missing dependency declaration

Issue fork tfa-3551511

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

seeduardo created an issue. See original summary.

seeduardo opened merge request !162

seeduardo changed the visibility of the branch 3551511-expand-paragonieconstanttimeencoding-version to hidden.

seeduardo changed the visibility of the branch 8.x-1.x to hidden.

seeduardo’s picture

seeduardo commented
Status: Active » Needs review
seeduardo’s picture

seeduardo commented
Issue summary: View changes
cmlara’s picture

cmlara
he/him
commented
Category: Bug report » Feature request
Status: Needs review » Needs work
Related issues: +#3353326: Remove TOTP/HOTP plugins from TFA module (adding was a regression)

Looking at a new project created as described and drupal/recommended-project does not appear to require paragonie/constant_time_encoding or block ^2. This appears to be normal composer operations and local constraint conflicts by adding an additional conflict in step 2 of the reproduction example.

christian-riesen/otp >= 2.4.0 only supports ^1 || ^2.

^3 would lock back to christian-riesen/otp:2.3.0 (see https://git.drupalcode.org/issue/tfa-3551511/-/jobs/6875247#L88 ).

While we support the older API I'm not sure we want TFA "encouraging" composer to allow this rollback when we would want to prefer the newer versions.

At a minimal we would want the tests to use ^2.7.

This does point out another reason that having the plugins not be part of the main TFA library would allow more flexibility (ref: #3353326: Remove TOTP/HOTP plugins from TFA module (adding was a regression) )

I'm inclined to believe we should won't-fix this unless christian-riesen/otp has plans to support ^3.
I will additionally note our 2.x branch will not depend upon either of these packages directly.