Ensure all minor versions in composer.json match composer.lock [#2899106]

Problem/Motivation

A follow-up to #2874817: Update zendframework/zend-diactoros from 1.3.10 to 1.4.0 and #2864037: [META] Update core PHP dependencies.

In composer.lock, zendframework/zend-diactoros is listed as ^1.4.0. However, in core/composer.json, it is listed as ^1.1. While the issues arising from this are typically minor, this version discrepancy should be resolved to maintain synchronicity between composer.lock and core/composer.json.

The scope of this issue has expanded to include any and all minor version discrepancies between composer.json and composer.lock as discussed in IRC with mpdonadio and dawehner.

Proposed resolution

Update composer.json to list version ^1.4.0 for zendframework/zend-diactoros.
Check to make sure there are no other minor version discrepancies between composer.json and composer.lock.

Table of dependencies

Note: Due to their release frequency, patch versions are not considered in this table; only minor versions are.

Package	composer.lock version	composer.json version	Notes
`asm89/stack-cors`	`1.1.0`	`^1.1`	No action needed
`composer/installers`	`v1.2.0`	`^1.0.24`	See patch in #7
`composer/semver`	`1.4.2`	`^1.0`	See patch in #7
`doctrine/annotations`	`v1.2.7`	`^1.2`	No action needed
`doctrine/common`	`v2.6.2`	`^2.5`	See patch in #7
`easyrdf/easyrdf`	`0.9.1`	`^0.9`	No action needed
`egulias/email-validator`	`1.2.14`	`^1.2`	No action needed
`guzzlehttp/guzzle`	`6.2.3`	`^6.2.1`	See patch in #7
`masterminds/html5`	`2.2.2`	`^2.1`	See patch in #7
`paragonie/random_compat`	`v2.0.10`	`^1.0\|^2.0`	No action needed
`stack/builder`	`v1.0.4`	`^1.0`	No action needed
`symfony-cmf/routing`	`1.4.0`	`^1.4`	No action needed
`symfony/class-loader`	`v3.2.8`	`^3.2`	No action needed
`symfony/console`	`v3.2.8`	`^3.2`	No action needed
`symfony/dependency-injection`	`v3.2.8`	`^3.2`	No action needed
`symfony/event-dispatcher`	`v3.2.8`	`^3.2`	No action needed
`symfony/http-foundation`	`v3.2.8`	`^3.2`	No action needed
`symfony/http-kernel`	`v3.2.8`	`^3.2`	No action needed
`symfony/polyfill-iconv`	`v1.3.0`	`^1.0`	See patch in #7
`symfony/process`	`v3.2.8`	`^3.2`	No action needed
`symfony/psr-http-message-bridge`	`v1.0.0`	`^1.0`	No action needed
`symfony/routing`	`v3.2.8`	`^3.2`	No action needed
`symfony/serializer`	`v3.2.8`	`^3.2`	No action needed
`symfony/translation`	`v3.2.8`	`^3.2`	No action needed
`symfony/validator`	`v3.2.8`	`^3.2`	No action needed
`symfony/yaml`	`v3.2.8`	`^3.2`	No action needed
`twig/twig`	`v1.32.0`	`^1.23.1`	See patch in #7
`wikimedia/composer-merge-plugin`	`v1.4.0`	`^1.4`	No action needed
`zendframework/zend-diactoros`	`1.4.0`	`^1.1`	See patch in #2
`zendframework/zend-feed`	`2.7.0`	`^2.4`	Needs update
`behat/mink`	`dev-master`	`1.7.x-dev`	See note in #7
`behat/mink-goutte-driver`	`v1.2.1`	`^1.2`	No action needed
`jcalderonzumba/gastonjs`	`v1.0.2`	`^1.0.2`	No action needed
`jcalderonzumba/mink-phantomjs-driver`	`v0.3.1`	`^0.3.1`	No action needed
`mikey179/vfsStream`	`v1.6.4`	`^1.2`	See patch in #7
`phpunit/phpunit`	`4.8.35`	`>=4.8.35 <5`	No action needed

Remaining tasks

Patch
Review
Commit

User interface changes

None

API changes

None

Data model changes

None

Comment	File	Size	Author
#7	interdiff-2899106-2-7.txt	1.96 KB	prestonso
#7	2899106-7.patch	1.96 KB	prestonso
#7	8.5.x: PHP 5.6 & MySQL 5.5 22,090 pass, 1 fail
#2	2899106-1.patch	506 bytes	prestonso
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

1 August 2017 at 18:42

prestonso created an issue. See original summary.

Comment #2

prestonso CreditAttribution: prestonso commented 1 August 2017 at 18:52

Title:	Update zendframework/zend-diactoros from 1.1 to 1.4.0 in core/composer.json	» Ensure all minor versions in composer.json match composer.lock
Assigned:	Unassigned	» prestonso
Issue summary:	View changes

File	Size
2899106-1.patch	506 bytes

Here is a patch for review to address zendframework/zend-diactoros. Also updating the IS to reflect new scope as discussed on IRC with @mpdonadio and @dawehner.

Assigning to myself to check for any discrepancies between composer.json and composer.lock.

Comment #3

dawehner

German

CreditAttribution: dawehner as a volunteer and at Chapter Three commented 1 August 2017 at 19:07

Totally + 1 for this change, otherwise people using composer might not get the up to date version, but they probably get it already.

Comment #4

1 August 2017 at 19:07

Version:

8.4.x-dev

» 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #5

prestonso CreditAttribution: prestonso commented 1 August 2017 at 20:17

Issue summary:	View changes
Related issues:		+#2864037: [META] Update core PHP dependencies

Updated IS to include a table of dependencies and discrepancies between core/composer.json and composer.lock.

Patch forthcoming.

Comment #6

mpdonadio

he/him

English

Philadelphia/PA/USA (UTC-5)

CreditAttribution: mpdonadio at DiD Agency commented 1 August 2017 at 20:28

+++ b/core/composer.json
@@ -29,7 +29,7 @@
-        "zendframework/zend-diactoros": "^1.1",
+        "zendframework/zend-diactoros": "^1.4.0",

For the sake of consistency, probably want "^1.4", the point versions are mostly there on purpose.

And for the sake of discussion, do we want to do something like

+++ b/core/composer.json
@@ -29,7 +29,7 @@
-        "zendframework/zend-diactoros": "^1.1",
+        "zendframework/zend-diactoros": "^1.4 <1.5",

to limit to the minor version? People are using webflo/drupal-core-strict to avoid problems with incompatible dependencies; some < constraints may help here.

We should probably have a -test-only.patch where we recreate the composer.lock (ie, delete it and then `composer install`) and make sure we have a passing run.

Comment #7

prestonso CreditAttribution: prestonso commented 1 August 2017 at 20:46

Assigned:	prestonso	» Unassigned
Issue summary:	View changes
Status:	Active	» Needs review

File	Size
2899106-7.patch	1.96 KB
8.5.x: PHP 5.6 & MySQL 5.5 22,090 pass, 1 fail
interdiff-2899106-2-7.txt	1.96 KB

New patch ready for review. This takes #6 into account while it's still under discussion. I agree that < constraints would alleviate issues people are seeing.

Next: a -test-only patch (after deleting composer.lock and running composer clear-cache); great suggestion!

Also, I checked the behat/mink repository. There is no stable version after 1.6.0, meaning that 1.7.x-dev is the most up-to-date state of that dependency.

Comment #8

prestonso CreditAttribution: prestonso commented 1 August 2017 at 20:49

Issue summary:

View changes

Updating IS with status of each recorded discrepancy.

Comment #9

1 August 2017 at 21:46

Status:

Needs review

» Needs work

The last submitted patch, 7: 2899106-7.patch, failed testing. View results

Comment #10

prestonso CreditAttribution: prestonso commented 2 August 2017 at 12:18

Assigned:

Unassigned

» prestonso

Failure looks to be due to composer.lock not matching entirely. This might not be possible given that the generated timestamp changes on each generation of composer.lock. Working on this again.

Also, an initial diff between a composer.lock generated through the following steps and the composer.lock under version control indicates that this patch needs much more work. I won't post the -test-only.patch to save testbot the pain :)

git apply -v --index 2899106-7.patch
rm composer.lock
composer clear-cache
composer install
git diff 8.4.x -- composer.lock

Comment #11

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 6 August 2017 at 19:32

+1 on #6. I made a test in #2887000-57: composer.json does not constrain Symfony components to minor and patch versions that are compatible with Drupal to semi-automate testing our composer requirements.

Once we have good constraints, this issue could just say composer update and then commit the lock file.

Comment #12

teohhanhui CreditAttribution: teohhanhui as a volunteer commented 19 September 2017 at 12:37

Watch out for BC breaks in https://github.com/zendframework/zend-diactoros/pull/270

Comment #13

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 19 September 2017 at 17:25

We just did these: #2900112: Update non-Symfony dependencies in lock file before 8.4.0 #2909743: Again update non-Symfony dependencies in lock file before 8.4.0

Still kind of meh on this issue. If we can allow, for instance, composer/installers 1.0.0 then we should. (And we can.)

Comment #14

19 September 2017 at 17:25

Version:

8.5.x-dev

» 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #15

Mixologic

He/Him/His

English

Portland, OR

CreditAttribution: Mixologic at Drupal Association commented 5 June 2018 at 15:30

Issue tags:

+Composer

Comment #16

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 5 June 2018 at 16:11

Doing some work to get passing builds in composer update min/max testing here: #2976407: Use drupalci.yml for composer dependency min/max testing - DO NOT COMMIT

Comment #17

5 June 2018 at 16:11

Version:

8.6.x-dev

» 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #18

5 June 2018 at 16:11

Version:

8.7.x-dev

» 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #19

5 June 2018 at 16:11

Version:

8.8.x-dev

» 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.