Problem/Motivation
Drupal is using a dev release, 1.3.x-dev, of the project behat/mink-selenium-driver2 (minkphp/MinkSelenium2Driver on GitHub).
Recently, all previous Drupal releases based on webflo/dupal-core-dev-dependencies broke because behat/mink-selenium-driver2 opened their 1.4.x-dev release. The 1.3.x release was never an actual branch in mink-selenium-driver2; it only existed in Packagist due to the fact that there was a 1.3.x-dev branch alias created for dev-master in the project's composer.json file. When this branch alias was changed to 1.4.x-dev, the old 1.3.x-dev branch became no longer resolvable. The problem is described minkphp/MinkSelenium2Driver#313.
Drupal is also vulnerable to the same sort of defect causing similar problems in the future due to the fact that we depend on a dev version of behat/mink. The version we currently depend on, 1.7.x-dev, is also only resolvable due to a branch alias directive in the composer.json file of minkphp/Mink (exported to Packagist as behat/mink). When minkphp/Mink opens their 1.8.x branch, all old Drupal builds pinned to 1.7.x-dev will break.
Proposed resolution
We should use a stable release of behat/mink
and behat/mink-selenium2-driver
. The latest available stable releases do not have the features used/needed by Drupal core. Once the stable release of behat/mink-selenium2-driver is tagged (See: minkphp/MinkSelenium2Driver#311), we should update our version constraints to use it.
Workarounds
The upstream project has created a persistent 1.3 branch, so it is no longer necessary to do anything to fix this problem in local Drupal sites. If you have already applied a workaround, you should remove it now.
Also, most projects do not actually need webflo/drupal-core-require-dev; you may simply remove it from your require-dev
section and then run composer update
to remove these dev references from your site.
Remaining tasks
- We need stable releases of
behat/mink
andbehat/mink-selenium2-driver
so that we can put together a patch that will have lasting effect. - We have a post-update-cmd in
composer/Composer.php
and a test incore/tests/Drupal/Tests/Composer/ComposerTest.php
that may be removed once we have a stable release ofbehat/mink-selenium2-driver
.
Follow-on Tasks
- Consider setting the minimum stability for drupal/drupal to "stable". This may need to be done in Drupal 9.
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
Drupal is now using stable releases for behat/mink (1.8.0) and behat/mink-selenium2-driver (1.4.0).
Comment | File | Size | Author |
---|---|---|---|
#141 | 3078671-8.8.x-141.patch | 14.66 KB | jungle |
#127 | 3078671-8.9.x-127.patch | 15.46 KB | alexpott |
Comments
Comment #2
rodrigoaguileraLet's try some tests
Comment #3
rodrigoaguileraFor reference the way the constraint is defined in the composer.json is generating issues for the composer template
https://github.com/drupal-composer/drupal-project/issues/511
Comment #4
dxvargas CreditAttribution: dxvargas commentedIt works!
It should be quickly addressed because "behat/mink-selenium2-driver": "1.3.x-dev" was removed, discussion goes here.
Comment #5
hoebekewim CreditAttribution: hoebekewim at SQLI - Belgium commentedIsn't it better to remove this dev dependency and use the 1.3.1 instead to avoid this in the future ?
Comment #6
dxvargas CreditAttribution: dxvargas commented@hoebekewim the proposed patch is not using a dev dependency, it is "^1.4". So it's good, right?
Comment #7
rodrigoaguilera1.3.1 was not enough because Drupal needed some features that were added to the branch after the release so we need to jump to 1.4.0
Comment #8
Simon Peacock CreditAttribution: Simon Peacock commentedThe Priority of this should be changed to critical as new builds cannot be installed.
This is also affecting 8.7
Comment #9
Thangobrind CreditAttribution: Thangobrind commentedAgree with @simon-peacock.
The inability to install seems pretty critical to me.
Comment #10
Simon Peacock CreditAttribution: Simon Peacock commentedAdding patch for 8.7
Comment #11
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented1.4.x-dev
is definitely not the same as^1.4
. We should use the later, because that will select stable releases only.1.4.x-dev
is likely to break again ifbehat/mink-selenium2-driver
keeps deleting their dev branches. Ostensibly they shouldn't be doing that, but we can avoid problems if we stick to stable releases. As we always should.Comment #12
Simon Peacock CreditAttribution: Simon Peacock commented@greg.1.anderson
Agreed.
Comment #13
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThanks for updating the patch. Setting to 'needs review' to run the test.
Comment #14
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThis will need to go in 8.8.x first though.
Comment #15
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedPatch failed to apply; needs patch for 8.8.x.
Comment #16
Simon Peacock CreditAttribution: Simon Peacock commented@greg.1.anderson
Updating for 8.8 test
Comment #17
Simon Peacock CreditAttribution: Simon Peacock commented@greg.1.anderson
Correcting for 8.8
Comment #18
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedGreat, looks good. Setting to "needs review" while tests run.
Comment #20
Simon Peacock CreditAttribution: Simon Peacock commentedCorrecting hash
Comment #22
mmjvb CreditAttribution: mmjvb as a volunteer commentedSuggest to use "^1.4@dev" as version constrain so you don't depend on having minimum_stability = dev.
Comment #23
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedDepending on a dev release is not a good idea. 1.3.x-dev was used in the past because someone wanted to use a feature that was not available in any stable release of behat/mink-selenium2-driver. Now that there are stable releases on the ^1.4 line, we should use that. In fact, we should also use the stable release of behat/mink, the other component that we are using a dev release of, since it has a stable release now too.
Comment #24
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedHere's a patch that bumps up both behat/mink and behat/mink-selenium2-driver to use stable (non-dev) releases.
Comment #25
mmjvb CreditAttribution: mmjvb as a volunteer commentedAgree with bad idea on depending on dev release. Unfortunately, you have no option here. Where do you see stable release?
Currently, you require the dev release, as soon as 1.4.0 stable is released it is going to be used (if you update).
Comment #26
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedUpdated the issue summary.
Please pay no mind to the fact that I accidentally named my interdiff ".patch" instead of ".txt".
Comment #27
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@mmjvb: You are right. I thought that there was a 1.4.0 and a 1.4.1 release, but I must have imagined it; there are only dev releases available on the 1.4.x line. I'm going to have to update my issue summary.
I still think that
^1.4
is preferable to^1.4@dev
, because the former will use the stable releases as soon as they are available, whereas the later will continue to use the latest dev release, which is not desirable.I think it would be good to get rid of the minimum stability: dev in the drupal/drupal composer.json file, but we should to that as follow-on work. It might be necessary to wait until Drupal 9 to make that change.
Comment #28
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@mmjvb: OK, they attempted or began to make a 1.4.0 release in minkphp/MinkSelenium2Driver#313, but no one has made the tag yet. I think we should continue here with ^1.4, commit as soon as possible (to un-break builds, at least on drupal/core 8.8.x), and update our composer.lock with the stable 1.4.0 release when available.
Comment #29
mmjvb CreditAttribution: mmjvb as a volunteer commented^1.4@dev will use 1.4.0 stable as soon as released, obviously you need to update when having resolved to dev release. As soon as 1.4.0 is released the version constraint can become ^1.4, although ~1.4.0 would be more appropriate. Unless you would want to allow for 1.5, 1.6. That is two changes: going from dev to only stable and accepting anything > 1.4.
Comment #30
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedOK, you are right; the
"prefer-stable": true,
option would hold^1.4@dev
to stable releases once they are available. I think that^1.4@dev
still allows for 1.5 releases (stable). In any event, though, unless"minimum-stability": "dev",
is removed (which I would like to see, but as follow-on work),^1.4
also works, and I think that it is clearer.Comment #31
mmjvb CreditAttribution: mmjvb as a volunteer commentedMy minimum_stability is not "dev", with "^1.4" the requirements can't be resolved. Only dev branch available in 1.4 !
Nothing to do with prefer_stable, composer by default takes highest version. Dev branch is considered lowest in the chain: dev,alpha,beta,rc,stable.
Comment #32
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedAh, good point. The requirements here are not only used in drupal/drupal, but they will be copied to webflo/drupal-core-require-dev (which was the original point of this issue) and potentially used with different minimum stabilities.
Unfortunately, ^1.4 is causing errors in Drupal\Tests\views\Functional\Plugin\DisplayTest; we might need to require a specific commit on the 1.3.x branch until that issue can be resolved.
Comment #33
mmjvb CreditAttribution: mmjvb as a volunteer commentedMaybe that can also be fixed upstream, hopefully before release of 1.4.0.
Comment #35
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI didn't see anything in recent behat/mink-selenium2-driver commits that should have caused this, although the failures are related to behat, so it likely is related in a way that is not readily apparent to me. I'll try the most recent commonly-used commit (from October 2018) and see if that passes here. Everything else in that repo was added in the last week.
Comment #36
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThe failures might have been caused by updating behat/mink, which I also bumped up in this patch. Here's another version that keeps both projects pinned at the same version they were at before. Getting off the dev release can be done as a follow-on, if this works.
I'll update the issue summary if the tests pass.
Comment #37
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedComment #38
mtodor CreditAttribution: mtodor at Thunder commentedI'm not sure if locking to commit is a good solution. Using commit reference is root-only composer feature.
A lot of projects are using
webflo/drupal-core-require-dev
to get Drupal dev dependencies. When we require that project with requirements to Mink packages with commit references, references will be ignored by the composer and we will always getdev-master
.More info here: https://getcomposer.org/doc/04-schema.md#package-links.
We had a moving target before with
1.3.x-dev
alias. So nothing is changed if we just usedev-master
in future too.Comment #39
mmjvb CreditAttribution: mmjvb as a volunteer commentedThat is what this change is about: go with stable release (tag) instead on moving target (dev branch). Unfortunately, with 1.3 the moving target was needed due to fixes not available is stable releases. Awaiting those fixes to become available in 1.4.0 Stable. When 1.4.0 Stable arrives there is no longer a need to rely on moving target!
Comment #40
tashaharrison80 CreditAttribution: tashaharrison80 at Dennis commentedDue to the severity of this issue should it be pinned for now and then create a new issue to discuss the longer term approach? I suspect this is preventing and disrupting many people.
The release will need to be on 8.7 since this prevents Drupal being built via composer.
Comment #41
Simon Peacock CreditAttribution: Simon Peacock commentedAgree with @tashaharrison80. Plus, 8.8 is not a stable release yet; whereas 8.7 cannot be updated on prod sites or built from composer - this should be the priority.
Comment #42
Simon Peacock CreditAttribution: Simon Peacock commentedI have added a child issue for 8.7:
https://www.drupal.org/project/drupal/issues/3078904
Comment #43
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedWell darn. Since commit references are dev-only features, we have no good option other than to fix #24.
If you switch to dev-master, you will also need to fix #24, so we might as well use ^1.4, which will also give us dev-master today, but will eventually settle on a stable release, once one is available.
I did not isolate the causes of #24. Perhaps if we updated only behat/mink-selenium2-driver, we might discover that all of the failures are due to the behat/mink updates. Going half way leaves us vulnerable to being broken again when behat/mink opens the 1.8.x dev branch.
Also, the issue of webflo/drupal-core-require-dev is a separate but interesting issue. The defect here has been recorded in every single tag of that release from 8.3.0 to 8.7.6. If we fix here in drupal/drupal 8.8.x, and also do the child issue to fix 8.7.x, then the 8.7.7 release of webflo/drupal-core-require-dev will be usable; however, all of the old tags will still be broken, and will remain so forever, unless we rewrite history for webflo/drupal-core-require-dev. That's not something that is usually done, but holding to the normal conventions will only serve to keep most of the tags in that project unusable, save by projects that employ the workaround. If we do rewrite history, then we break every site that used the workaround. This is a discussion we'll need to have in that repo once there is a solution committed in Drupal.
Comment #44
Simon Peacock CreditAttribution: Simon Peacock commented@ greg.1.anderson
Can we not go with the 1.4.x-dev solution?
It's not ideal but will be following on from the equally not ideal situation that has been around for 3+ years.
Comment #45
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@Simon Peacock: You are right, per #31 we should use
^1.4@dev
, not^1.4
. If we fix only behat/mink-selenium2-driver today, though, we might just break again tomorrow if/when behat/mink switches to their 1.8.x branch. Moving forward with fixes for both behat/mink-selenium2-driver and behat/mink means we fix the four failures in #24. We can't assume those will be fixed in the upstream, because Drupal was depending on unstable dev releases that are not going to be maintained.Our other option here is to fork behat/mink-selenium2-driver and behat/mink, and make our own stable tag on the exact commits we are using. I don't think that's a great idea; fixing the four test failures is a better path. I don't think I'll have time to look at that today, but hopefully someone can pick up that task.
Comment #46
mmjvb CreditAttribution: mmjvb as a volunteer commentedInstead of depending on a dev branch (moving target) depend on a stable with patches. That would have documented what the requirement really is. Looking at the commits since 1.3.1 that still can be done. Just create a patch that contains the needed changes since 1.3.1 and specify the patch and pin on 1.3.1.
Comment #47
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI don't think that we can patch dependencies in drupal/drupal. I could be wrong about that. We could potentially apply the fix in a post-install hook et. al.
I also made an appeal in the upstream to recreate the 1.3.x-dev tag in a way that would fix the old Drupal stable release tags. They were disinclined earlier, but we will see.
Comment #48
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI tried using
^1.7@dev
as the version constraint for behat/mink; unfortunately, this does not work for us, because 1.7.1 already exists, and it older than the commit we are using. This syntax behaves differently than1.7.x-dev
, and will downgrade to the available stable release (1.7.1) due to our "prefer dist" setting. Similarly,^1.8@dev
does not work at the moment, because there are no 1.8 tags, and 1.8.x-dev does not map to dev-master.It seems that we are sort of stuck here unless we get stable tags in the upstreams. I made a request for a stable tag in behat/mink. It looks like the upstream projects are amenable to the plan, but we don't know how long it will take.
Comment #49
JohnAlbin> Instead of depending on a dev branch (moving target) depend on a stable with patches.
This is what we do on our Drupal projects when a contrib module's stable version doesn't work, but it's -dev version does work. We depend on the stable version and add the patch file to composer.json.
Depending on a -dev branch breaks stuff, as this issue proves. All point releases of Drupal 8.x that use a -dev in composer.json need to be updated to remove those failing (or about to fail) "requirements".
> That would have documented what the requirement really is.
+1 I'm strongly in favor of self-documenting code.
Comment #50
mmjvb CreditAttribution: mmjvb as a volunteer commentedNo surprise there! 1.7.x-dev is a discrete version (branch or tag), not a version constraint. A version is taken as is. With version constraint you let composer decide what version qualifies. Settings like minimum_stability and prefer_stable influence that decision.
They are not the only ones that have effect, but AFAIK not effected by "prefer dist".
Comment #51
tjtj CreditAttribution: tjtj commentedThe patch failed.
Is there no QA in the Drupal core project? This breaks everyone's sites.
Comment #52
vuilA new perspective which works for me. :) I hope to help everyone.
Comment #53
vuilComment #54
mmjvb CreditAttribution: mmjvb as a volunteer commented@tjtj This is the QA you are participating in. Status Needs Work does mean it is not usable at the moment. Suggest to wait for Needs review and green test results. Actually, RTBC might be the one for you to wait on, even better Fixed.
Comment #55
Simon Peacock CreditAttribution: Simon Peacock commented@ ilchovuchkov
Looks like the patch you have supplied is for 8.7. This issue is for 8.8.
There is a child issue for 8.7.
But it looks like we are waiting to see what happens upstream as @greg.1.anderson has implied above.
Comment #56
Simon Peacock CreditAttribution: Simon Peacock commentedComment #57
mmjvb CreditAttribution: mmjvb as a volunteer commentedWaiting for things to happen upstream sounds like postponed to me!
Comment #58
vuilcomposer.json required changes.
Comment #59
vuilAdd composer.lock as well.
Comment #60
vuilI fix the issue by myself today. I want to help which is need the fix now, and today. :)
Thank you.
Comment #61
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedCommitting #58 would not help anyone install Drupal 8.7.7 or earlier with webflo/drupal-core-require-dev, so my vote would be to wait and do a fix that will be lasting, and commit that before Drupal 8.7.8.
Comment #62
mmjvb CreditAttribution: mmjvb as a volunteer commentedDo we agree here that this issue is about a proper fix and doesn't need any more workarounds?
Do we need committer feedback to veto that?
Comment #63
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedIf someone wants to advocate for #59, the first step is to make the tests pass. Once the tests pass, then someone who did not work on the patch and wants it committed can set the status to "reviewed and tested by the community" (after testing it, of course). After that, a core committer will commit it to core if they agree it is the right thing to do.
I am -1 on committing #59 because it does not help people trying to install 8.7.7. We will probably have stable tags for behat/mink and behat/mink-selenium2-driver shortly. If we do not, then I think we should fork those repositories and use the fork in 8.7.8 and onwards until the stable tags are made available.
Note also that there is a parallel effort to get a 1.3.x-dev branch re-added to behat/mink-selenium2-driver, which will help people trying to install 8.7.7 (and earlier) if successful.
Comment #64
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedMarking "postponed" on upstream stable tags, per consensus in Composer in Core Initiative meeting.
Comment #65
karolrybak CreditAttribution: karolrybak as a volunteer commentedHow is this postponed?? Currently it's not possible to install drupal 8 with composer using instructions from https://www.drupal.org/node/2718229
Comment #66
mmjvb CreditAttribution: mmjvb as a volunteer commentedFor problems with installing drupal-composer/drupal-project use their issue queue. This queue is for drupal !
Comment #67
karolrybak CreditAttribution: karolrybak as a volunteer commentedHey, from official drupal docs:
There are a number of ways that you could install Drupal using composer, however the recommended approach (especially for beginners to Composer) is to use the composer template at drupal-composer/drupal-project.
So maybe we have to update documentation to not include that?
Recommended way to install simply doesn't work now.
Comment #68
mmjvb CreditAttribution: mmjvb as a volunteer commentedIt does work. Just check their issue queue for the workaround!
Please refrain from further derailing this issue!
Comment #69
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@karolrybak: the correct status for this issue is "postponed" because we are waiting for something outside of this issue to happen (stable tags on the upstream project) before we roll the next patch.
If for some reason someone wanted to advocate to take action on this issue, the right way to do it would be to set the status back to "Needs Work" to vote for fixing the tests in #59, or set the status back to "Needs Review" if a new patch with a new fix is suggested. As previously mentioned, though, committing #59 would not make it easier to install Drupal 8.7.7, so there is no point in changing the issue status to "Needs Work". Similarly, changing the issue status to "Active" is not going to make people work on this issue harder. We're working on it, the work simply isn't happening here at this point in time.
To help folks who are struggling with this problem, I have updated the issue summary with workarounds that can be taken right now to get your site to install with Composer. Please bear with us as we work toward a lasting solution. We should have something ready in time for 8.7.8.
Comment #70
mmjvb CreditAttribution: mmjvb as a volunteer commentedStill missing the policy change for core development: don't require a moving target, use stable release optionally with patches.
As for the follow up: settings minimum-stability and prefer-stable should be removed. At the time this was introduced there was a poor understanding of release management in the eco-system. Currently, there is a much better understanding. The default for minimum-stability is Stable making prefer-stable = true redundant. Allowing anything in development is not something considered appropriate today. You should avoid things in development. When you have no choice you can express that on the version constraint (@dev, @alpha, @beta, @rc) of that particular dependency. With the eco-system now understanding to create Stable releases, they should be used. Needing something in development should be the exception and specified on the dependency version constraint.
Comment #71
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented+1 to #70.
Comment #72
karolrybak CreditAttribution: karolrybak as a volunteer commentedI'm aware of the workaround, but why do we even need those external packages like selenium to install d8 in a recommended way? It's clearly getting out of hand with dependencies and if we don't acknowledge that we'll have a real problem soon.
For some time drupal-project was a way to go, right now it simply does not work. How can we make sure that the installation is up to date and secure other way? While drupal docs still says it's the best way to go?
Comment #73
karolrybak CreditAttribution: karolrybak as a volunteer commentedThanks for much more in depth replies, greg.1.anderson, mmjvb glad to know it's being worked on !
Comment #74
mmjvb CreditAttribution: mmjvb as a volunteer commentedEDIT Didn't see your second reply.
That is what this issue is about: Preventing these kind of issues by not allowing dependencies on a moving target. The change in policy is to prevent this from happening again. For selenium the solution needs to be ^1.4@dev, for Mink there is no solution yet.
You don't need to convince people to solve this. This issue wants to solve it for D8.8.
For now drupal-project is still the way to go. Obviously, with --no-dev when you are not doing code development. Or removing the dev requirement to prevent mistakes. When doing development, for the moment you need that additional requirement bringing that development alias for selenium back. For a developer that shouldn't be a big deal.
Comment #75
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedReally, though, we should never depend on dev releases of external components. If we just cannot live without a commit on some branch of some project that does not have a stable release, we should make a non-maintained fork for the express purpose of having a project we control to depend on. Users shouldn't wake up Labor Day morning to discover that sites with no new commits are suddenly broken. That was a mistake of the past. Moving forward, we can avoid having it happen again.
Comment #76
yktdan CreditAttribution: yktdan commentedI tried the --no-dev option and got a syntax error. Posted to github. Surely the recommended install should not be a development install. --no-dev should be the default.
Comment #77
mmjvb CreditAttribution: mmjvb as a volunteer commentedAbsolutely agree, but we have no choice now. As soon as new stable releases are available we can remove @dev from the constraint. The errors in #24 suggest depending on commits in Mink after Stable. Suggest to try only selenium to confirm tests are green.
In that case Mink needs a patch with fixes Drupal testing depends on. Otherwise they must be unrelated.
Comment #78
karolrybak CreditAttribution: karolrybak as a volunteer commentedNot sure why is it even required to install drupal right now ??
webflo/drupal-core-require-dev 8.8.x-dev requires behat/mink-selenium2-driver 1.3.x-dev -> no matching package found
Comment #79
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI could write a whole blog about the word "development" in Composer - and maybe I will. The problem is that this term is used for two vastly different concepts:
"minimum-stability": "dev"
,1.3.x-dev
,^1.4@dev
, etc.require-dev
,autoload-dev
, etc.By default, Composer will install the components that are only needed for testing when you update or install your project. You must use the --no-dev flag to avoid this.
Stability flags, on the other hand, default to stable by default, although Drupal chose to change the default to "development" (a mistake, in my opinion).
These two things are often conflated, which leads to some confusion.
Comment #80
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@karolrybak: Just remove webflo/drupal-core-require-dev from your Drupal site for now. You probably don't need it. I advocated for it to be removed by default in https://github.com/drupal-composer/drupal-project/issues/477.
Comment #81
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedRe #27, the tests in #24 were a mistake. I thought the tags I were testing were more recent than the commits in Drupal's composer.lock file, but on subsequent investigation discovered they are earlier. This is why the tests failed. I expect everything should work just fine without further adjustment once we have stable tags in the upstreams.
If we never get stable tags in the upstreams, we do have a choice. We can fork our own copy of these projects. I don't think that will be necessary, though; it looks like the maintainers are going to provide what we need pretty soon.
Comment #82
karolrybak CreditAttribution: karolrybak as a volunteer commentedSo looks like it's here
https://github.com/webflo/drupal/blob/8.0.x/core/vendor/behat/mink/compo...
Does this even belong in core?
Comment #83
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented@karolrybak: The project and lines you are looking for are:
The first step is to fix the problem in Drupal Core, as drupal-core-require-dev is a generated package that builds its releases by reading the dependencies from every Drupal release.
Comment #84
mmjvb CreditAttribution: mmjvb as a volunteer commentedUnfortunately, composer is a developer tool, not deployment. There is no way to set it to --no-dev, not even using environment variables. The maintainers declined the request to change the default. Could be part of phase 2 of composer initiative, creating plugin to change default to no-dev instead of dev. Or create your own shell command.
Indeed, this issue is not resolved yet. No surprise webflo/drupal-core-require-dev 8.8.x-dev is having the problem, drupal 8.8-dev is still having the problem. It is postponed because there is no solution yet. Proposed solution requires upstream work, hence postponed. FYI, drupal-core-require-dev is generated out of drupal core. As this is a problem in drupal core it appears in drupal-core-require-dev.
Comment #85
manuel.adanAs a workaround, I solved it locally by adding the lost package information to my private repository (based on satis). Not sure if possible, but adding it to the packages section of the composer.json file of drupal-composer/drupal-project could works as a temporary solution until a new approach is found.
This is the behat/mink-selenium2-driver (1.3.x-dev) package information:
Comment #86
cilefen CreditAttribution: cilefen as a volunteer commented#3079333: webflo/drupal-core-require-dev prevents installing 8.7.7 using composer
Comment #87
maxilein CreditAttribution: maxilein commentedwhat helped me https://github.com/drupal-composer/drupal-project/issues/511 - until this is cleared:
"require": {
....,
"behat/mink-selenium2-driver": "dev-master as 1.3.x-dev"
},
Comment #88
mmjvb CreditAttribution: mmjvb as a volunteer commentedPlease stop spamming this issue with workarounds for 8.7, this issue is about 8.8. For 8.7 see https://www.drupal.org/project/drupal/issues/3078904
Comment #89
mmjvb CreditAttribution: mmjvb as a volunteer commented@manuel.adan Very interesting workaround. Wonder whether it is possible to have multiple branch-aliases. For those having a private repository this would be the perfect solution. Having the change available instantly without a need to change anything in your projects. For the general public it would probably need to be provided by the facade on d.o.
For projects having a path repository pointing to a local folder it would be usable as well. Expect the package repository in your project to work as well, haven't tried it though. Suspect the simple require dev-master as 1.3.x-dev in the main project to be simpler for most people.
Comment #90
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI think that commiserating about 8.7.x here is fair. I don't know that it was necessary to open the backport issue before we have a solution here; it's more convenient to have one place for discussions.
Also, as a heads up, it looks like behat/mink is going to make a 1.8.0 release, which means that the 1.7.x-dev branch alias we are currently depending on is also going to disappear.
Comment #91
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedI added a request that the maintainers create a persistent 1.7 branch before removing the 1.7.x-dev branch alias.
Comment #92
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThe 1.3 branch has been created for behat/mink-selenium2-driver, so everyone's builds should automatically start working again.
Still waiting for stable releases from behat/mink-selenium2-driver and behat/mink so that we can apply lasting fixes here. Downgrading to "major" since builds are not actually broken at the moment -- but we are still at risk for builds breaking if behat/mink removes the 1.7.x-dev branch alias before creating the 1.7 branch, but at this point I don't think that will happen. All the same, we should get onto the stable tags as soon as they are available, as that's the right thing to do.
Comment #93
karolrybak CreditAttribution: karolrybak as a volunteer commentedCan confirm install is working now with composer.
Still all the external dependencies should be reviewed and reduced as noted in #75.
This is just a warning sign and if we don't put more thought into dependencies this could become a security risk too.
Comment #94
catchSee #2899825: Release and support cycles for PHP dependencies for discussion of third party dependencies, specifically in relation to release cycles.
Comment #95
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThanks for the reference to 2899825. We are lobbying for stable releases of behat/mink and behat/mink-selenium2-driver that are the same, or functionally the same as the commit we currently pin to in our composer.lock file. I think that we should adopt these stable releases in our composer.json as soon as they are available, regardless of the release cycle. Hopefully, though, this will happen well in advance of the 8.8.0-alpha freeze.
Comment #96
vuilHello,
It works (#58). Please replace in your
composer.json
:Comment #97
Mixologicbehat/mink-selenium 2-driver has fixed their issue upstream. There is no need to apply #58.
We should keep this issue focused on removing the - dev aliases from our composer.json/lock
Comment #98
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedYes, #96 is actually an anti-pattern now, because it will break again once Drupal moves to a stable release. Anyone who has already applies workarounds for the behat/mink-selenium2-driver issue should remove them now.
I updated the issue summary to reflect this advice.
Comment #100
sam-elayyoub CreditAttribution: sam-elayyoub as a volunteer and at Achieve Internet commentedTry thispatch to composer.json
Comment #101
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented#100 is the same as #96. You are actually better off at this point NOT doing that, and instead just use 1.3.x-dev. Using dev-master will float to the most recent dev commits for this component (which may in the future break with Drupal, e.g. could pick up 2.x commits if they start a 2.x branch), whereas the 1.3 branch should not receive any further commits.
Comment #102
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedAdd a remaining task to remove the test and guard.
Comment #103
Ghost of Drupal PastAnother (bad) reason to do this: while I know this is an anti pattern but as long as composer has the speed it has, there's no other practical way for us but to commit vendor into the git repo and if you are doing that then these branches carry their own .git which makes for trouble. We have
in our composer.json to work around. I'll be glad to remove it.
Comment #104
xjmComment #105
alexpottThere's a random error caused by the current release of behat/mink on PHP 7.4 - see #3115000: Random fail in \Drupal\Tests\node\Functional\PagePreviewTest::testPagePreviewWithRevisions on PHP 7.4
Comment #106
alexpottWe can do this now! https://github.com/minkphp/Mink/issues/725#issuecomment-597699833
Comment #107
alexpottBye-bye icky code...
Comment #108
heddnCan we also get rid of
"minimum-stability": "dev",
or should that be in a follow-up? It doesn't seem we are 100% decided on that. And at the least, it would be nice to see a patch that has it to see how things fly with it. But follow-up is fine too.
Comment #109
andypostBetter to file follow-up for #108
And summary needs polishing
Comment #111
jungleWorking on failure in #107
Comment #112
BerdirWe can maybe just remove that test coverage as it is testing logic that no longer exists?
Comment #113
alexpottNice unit test failures.... updating the tests. Not 100% sure about how useful they actually are.
Comment #114
alexpott@Berdir I think the tests are testing something. They are testing how the meta packages copy dependencies and in the case of \Drupal\Composer\Generator\Builder\DrupalPinnedDevDependenciesBuilder this results in a specific version as per lock file and in the case of \Drupal\Composer\Generator\Builder\DrupalDevDependenciesBuilder it results in copying the constraint.
It also tests that things in the dev require section get moved into the regular require section.
Comment #115
jungleShould reference be updated?
Comment #116
junglelocked reference is `e1772aabb6b654464264a6cc72158c8b3409d8bc`, i copied from https://github.com/minkphp/Mink/commit/e6930b9c74693dff7f4e58577e1b17433..., it's wrong.
Comment #117
jungleUpdate git reference
Comment #118
jungleComment #119
longwaveLooks good, test changes all make sense. Also glad there is finally a release we can use.
Comment #120
catchCould use a CR and a release note. I'm assuming we want to backport this to at least 8.9.x and maybe 8.8.x once it's in 9.0.x since it's only a dev dependency.
Comment #121
alexpottFixed the release note and created the change record - https://www.drupal.org/node/3119264
Comment #122
alexpottAdding review credit for @mmjvb and @karolrybak
Comment #124
catchCommitted d3b2a6f and pushed to 9.0.x. Thanks!
Moving to 8.9.x for backport.
Comment #125
alexpottHere's the 8.9.x backport. Note that there's been an 1.8.1 behat/mink release - there's nothing of consequence in it - as far as I can see it is only a docs change ... but here's a 9.0.x patch so 9.0.x stays as up-to-date as 8.9.x.
Comment #127
alexpottMissed a bit.
Comment #128
MixologicComment #129
jungleSee https://semver.org/#is-v123-a-semantic-version
I am wondering, should 1.8.0 be used which is under the require section of composer.json, instead of v1.8.0? inside file composer.lock, it's fine as the file is auto-generated always. And yes, as @alexpott said to me over Slack, it's fake, does not matter which to use here.
Comment #130
alexpottRe #129/ @jungle - no we should not do that here's why:
This is what is in the composer.json.
This is what composer writes to its lock files. We have 0 control over that. It is just how it is. We do not write composer.lock files and when we fake them we should copy what they do. Hence the
v1.8.0
in the test fixtureComment #131
alexpottAlso look at the current pinned dependencies file - full of a mishmash of version constraints that we have no control over because it is up to the dependencies to tag their releases how they like.
Comment #132
jungleThanks, @alexpott, agree with you on #130
Checked the link in #131 of file/composer/Metapackage/PinnedDevDependencies/composer.json and found that they are not true semantic versions according to #129 See below:
A few packages are using v1.2.3-like versions under the require section of a composer.json file, I just have not used that way before.
So my question becomes that whether to remove the prefix v to follow the semantic versioning strictly for packages under the require and require-dev sections of composer.json file(s).
Comment #133
alexpott@jungle well certainly not in this issue. You can open another issue if you like but for me it's a closed won't fix because these version strings are determined by composer so they are what we need to pin on.
Comment #134
MixologicRe #132 Composer understands/accepts/handles the v prefix. If upstream maintainers want to use v1.2.3 (like all of symfony) there is nothing we need to do. And given that those versions are actual tags in a git repository, it is better that we leave them exactly as is.
Semver isnt deterministic. There is no 'correct' or 'proper' semver, because it is really just a contract, between humans, on how we should behave. Software that interfaces with semver expectations, like composer can either be rigid, and only accept a narrow definition of what constitutes a 'version string', or, it can be somewhat looser, to allow for all the historical releases that were 'pretty close to semver' by adding things like a v.
Comment #135
MixologicExtra double comment edited out.
Comment #136
longwaveI visually compared #117 and #127 and the only differences are in composer.lock, which is expected.
The 9.0.x followup patch in #125 is also trivial.
Both patches are RTBC.
Comment #137
jungleMany thanks to @Ryan and @alexpott for your replies and explanations! I am happy having 'v' to stay in now!
Comment #138
catchCommitted the follow-up to 9.0.x, and the 8.9.x backport.
We should probably discuss whether or not to backport to 8.8.x - it is a library update, but it is one which gets us on a nice stable version during 8.8.x LTS and just a dev dependency. I'm not sure whether it's worth it or not for 8.8.x
Comment #141
jungleA patch against 8.8.x. In case it's needed.
Comment #142
jungleSo what's the final decision, port it to 8.8.x or not?
For me, I'd vote for yes.
"behat/mink": "^1.8"
is a dev dependency package, it's no harm obviously to have a higher minor and stable version.Comment #143
andypost@jungle thanks! As a patch here - that's right status to get rtbc and commiter's eyes
Comment #144
longwaveTentative RTBC. I compared #141 and #127 and the only differences are in composer.lock - the hash and some irrelevant changes in the abandoned Zend framework packages.
However, we don't normally upgrade dependences in patch releases as far as I know - and I am not sure I see the need here. Drupal 8.8 end of life is in December and I don't see any benefit in upgrading this dependency.
Comment #145
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedIf we are going to backport #3135247: Composer's "prefer-stable" setting cannot be relied on to produce a stable release to 8.8.x, then we need to do this issue first as a prerequisite. Otherwise, it prevents folks from using drupal/core-dev.
I think we should commit this on 8.8.x even if we do not backport #3135247.
Comment #146
xjm@catch and I discussed this and agreed to backport it to 8.8.x. While we wouldn't normally do a minor update to dependencies in a patch release, this is updating dev dependencies only from (in one case) a random commit on a broken branch to a stable release that's fixed.
It will also make things easier for the recent pain surrounding our metapackage templates and things updating incorrectly because of
prefer-stable
/minimum-stability: "dev"
.Comment #148
xjmCompared #141 to the previous patches and committed it to 8.8.x. Thanks!
Comment #149
alexpottNote if this gets reverted from 8.8.x then we need to revert or adjust #3123933: Determine whether ComposerProjectTemplatesTest is testing the internet, and if it is, avoid that on 8.8.x because that commit depends on this one.
Comment #150
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedVery glad to have this in 8.8.x, so folks can switch to using minimum stability: stable and still use drupal/core-dev if they want.
Comment #152
xjm