Problem/Motivation

  • The Automatic Updates module uses Composer runtime APIs that were introduced in Composer 2.1, and therefore it currently declares a "composer-runtime-api": "^2.1" dependency in its composer.json file.
  • Additionally, once drupal.org's release packaging pipeline adds TUF signatures to releases, Automatic Updates will also require the https://github.com/php-tuf/composer-integration library, which has a dependency on "composer-plugin-api": "^2.1".
  • Currently, drupal/recommended-project cannot be installed on Composer 1, because drupal/core-composer-scaffold and drupal/core-project-message have dependencies on "composer-plugin-api": "^2".
  • However, currently Drupal 10.0 can be installed on Composer 2.0, and according to #3293811-21: Discuss whether to enforce the Composer 2.3.5 requirement for more than just core development, 6% of new daily installs of Composer 2 continue to be for Composer 2.0 despite that version being EOL and insecure. That number probably includes CI jobs in addition to human users.
  • Therefore, if we end up adding Automatic Updates to Drupal 10 core in a future minor version, we risk adding a new requirement (a higher version of Composer) than what 10.0 requires, and some site owners might be surprised by that.

Proposed resolution

Option 1:

Add a "composer-runtime-api": "^2.1" requirement to Drupal 10.0.x before tagging RC1.

Pros:

  • Avoids the cons of options 2 and 3.

Cons:


Option 2:

Don't add such a requirement for 10.0.x, and wait until the version that adds Automatic Updates to core to do that.

Pros:

  • It would keep our composer.json honest. If 10.0 doesn't actually require "composer-runtime-api": "^2.1", then option 1 would in a way be a lie.
  • It would give another 6 months or more for Composer 2.0 usage to drop still further before adding the requirement for 2.1.

Cons:

  • Changing the requirement in a Drupal minor isn't ideal. We wouldn't do that for PHP version or database versions, for example. However, the Composer version is more under the site owner's control than PHP or database versions, so maybe it's more okay.


Option 3:

Don't add such a requirement for 10.0.x, and also don't do it in a 10.x minor, and instead wait until 11.0 to do it. When Automatic Updates is added to Drupal core, remove those composer.json requirements from the module and its dependencies. And instead, enforce the requirement only for enabling the Automatic Updates module.

Pros:

  • Avoids hard-breaking Composer 2.0 usage both now and in a Drupal minor version.

Cons:

  • It's not idiomatic. I don't think we have other examples in core for core modules or packages that have composer dependencies that are not specified within composer.json.


Remaining tasks

Pick an option.

User interface changes

N/A

API changes

TBD

Data model changes

N/A

Release notes snippet

In anticipation of the forthcoming Automatic Updates feature, for sites that use Composer, Drupal 10 requires a minimum of Composer 2.1 to install and run Drupal.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

effulgentsia created an issue. See original summary.

effulgentsia’s picture

I tagged this as an RC blocker, but all I mean by that is that I think we need to make an explicit decision by then, even if that decision is to make no changes to Drupal core itself for Drupal 10.0.

bbrala’s picture

Composer 2.2 is lts, which means support until end of 2023, I think we will need to up versions anyways during the minors it seems if we want to use supported versions.

effulgentsia’s picture

Title: Discuss if and how to enforce a Composer 2.1 or 2.2 requirement for more than just core development » Decide on strategy for when and how to require Composer 2.1 or higher (for Automatic Updates in Core)
Issue summary: View changes

I updated the title and issue summary for brevity and clarity to hopefully help with getting to a decision.

longwave’s picture

Initially I was leaning towards option 3, because I think that is the most flexible; automatic updates is not yet in core, so we technically don't require any version of Composer at runtime, and there is a chance that the Composer version requirement may be increased before it lands, which would mean we would need options 2 or 3 anyway.

But having done some research into other products, they have already added dependencies on composer-runtime-api:^2.1 and it doesn't seem to have done them any harm.

Some Symfony bundles require it already:
https://packagist.org/packages/symfony/framework-bundle
https://packagist.org/packages/symfony/twig-bundle

Typo3 also does: https://packagist.org/packages/typo3/cms-core

Therefore I think option 1 is safe, it sets a baseline for Drupal 10, and should help us to get Automatic Updates in core slightly more easily.

effulgentsia’s picture

Issue summary: View changes
effulgentsia’s picture

Issue summary: View changes

Added pros and cons for each option.

effulgentsia’s picture

Issue summary: View changes
effulgentsia’s picture

Status: Active » Needs review
FileSize
1.04 KB

Here's the patch for option 1, in case that's what we pick. Options 2 or 3 wouldn't need a patch until Automatic Updates is ready to add to core.

effulgentsia’s picture

Composer 2.2 is lts, which means support until end of 2023, I think we will need to up versions anyways during the minors it seems if we want to use supported versions.

I think it's different with a requirement on composer-runtime-api than with other packages that we update dependencies for. I think it's more similar to a PHP or database version requirement, where we try our best to not raise that requirement in a Drupal minor, even if those versions have already gone EOL. However, site owners have more control over their Composer version than over their PHP and database versions, so we could decide that it's okay to raise the minimum requirement in a Drupal minor, but I don't think that means that we need to always do it whenever Composer versions go EOL.

But having done some research into other products, they have already added dependencies on composer-runtime-api:^2.1 and it doesn't seem to have done them any harm.

Thank you for that research. That's good to know.

effulgentsia’s picture

Title: Decide on strategy for when and how to require Composer 2.1 or higher (for Automatic Updates in Core) » Decide when to require Composer runtime 2.1 or higher (for Automatic Updates in Core)

Removing extraneous words from issue title.

effulgentsia’s picture

Title: Decide when to require Composer runtime 2.1 or higher (for Automatic Updates in Core) » Decide when to require Composer runtime ^2.1 (needed by Automatic Updates)
Wim Leers’s picture

Status: Needs review » Reviewed & tested by the community

#5: 👏 on that research!

alexpott’s picture

Status: Reviewed & tested by the community » Fixed
Issue tags: +Needs reroll

Remade the patch and committed it as it did not apply anymore.

Committed and pushed 13f60d0e6f to 10.1.x and 12490510e7 to 10.0.x. Thanks!

  • alexpott committed 13f60d0 on 10.1.x
    Issue #3313486 by effulgentsia, longwave: Decide when to require...

  • alexpott committed 1249051 on 10.0.x
    Issue #3313486 by effulgentsia, longwave: Decide when to require...
longwave’s picture

Added release note snippet.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.