(This is a topic that has been raised in passing in a few other issues - but so that it does not get lost, it seemed like a good idea to create a separate issue).

There are (at least) two options for how we specify versions of dependencies in Drupal's core/composer.json:

  1. <dependency> Major.Minor.* - what we're doing now.
  2. <dependency> Major.Minor.KnownGoodPatch1-Major.Minor.KnownGoodPatch2- specifying a range of known good patch versions.

And yes - Drupal already has a composer.lock in the repo - so generally speaking most users will get the exact version in the lock file. (And for security updates in dependencies they will need to manually composer update <dependency>.

However - in any project where Drupal core is just another component being required, and not the main composer project - Drupal's composer.lock will be ignored, and the larger projects composer.json will pull in dependencies from Drupal core's composer.json.

So with the wildcard patch versioning that is currently used - when Drupal is required in a larger project - the latest patch versions will be installed and added to the larger projects composer.lock. These may well be untested versions, which, even though a patch release SHOULDN'T break things, might break Drupal. This has happened before: see #2414235: Upgrade to Symfony 2.6.4. If we specify version ranges in composer.json - we can ensure that even when Drupal is required as part of a larger project - the dependencies are restricted to only patch versions that we have tested. However, if later patch versions of dependencies become desirable, users requiring Drupal would not get those versions unless Drupal has had a release with an updated composer.json with the expanded patch range OR they manually compser update <dependency> in their project. (A behavior which they will likely have to do from time to time anyway to respond to security releases).

Next Steps:

Answer the question:
Is it better to specify wild card patch versions of dependencies in composer.json and accept the possibility of a future patch release of a dependency(untested dependencies) breaking Drupal - or is it better to specify version ranges and understand that we will have to roll new releases to update that range?

Some additional reading:
http://stackoverflow.com/questions/25055161/composer-two-packages-confli...
http://stackoverflow.com/questions/21052831/how-to-solve-two-packages-re...
https://github.com/composer/composer/issues/2609

Comments

hestenet created an issue. See original summary.

hestenet’s picture

hestenet
He/Him
Location Portland, OR 🇺🇸
CreditAttribution: hestenet at Drupal Association commented

Some notes on this issue from a community composer call - where the conversation leaned heavily away from specifying ranges in core:

@Jordi(of Packagist): I think the best solution is: Run a daily test of the latest release against the latest versions of all dependencies - that will at least alert you if a patch level change in a dependency broke something and you can roll a patch release or whatever is needed.

@Webflo: Alternately - we could use this new idea of meta-packages. By converting the drupal core composer.lock into a meta-package..

  • You can create a 'strict' release where the composer.json will require pinned versions of the known working dependencies.
  • You can also publish a non-strict that will use the normal lock and allow the latest patch releases to be included.
  • Users of strict can then manually manage individual dependencies they may want to upgrade.
webflo’s picture

webflo CreditAttribution: webflo at UEBERBIT GmbH commented

The strict core build script is available on https://github.com/webflo/drupal-core-strict and https://packagist.org/packages/webflo/drupal-core-strict

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 as a volunteer commented
Status: Active » Closed (outdated)

We eventually settled on open-ended constraints (not a range).

We also added a drupal/core-recommended metapackage which is basically the core lock file.

Marking this as closed, outdated.

Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 as a volunteer and at CivicActions commented