Problem/Motivation
- The Automatic Updates module uses Composer runtime APIs that were introduced in Composer 2.1, and therefore it currently declares a
"composer-runtime-api": "^2.1"
dependency in its composer.json file. - Additionally, once drupal.org's release packaging pipeline adds TUF signatures to releases, Automatic Updates will also require the https://github.com/php-tuf/composer-integration library, which has a dependency on
"composer-plugin-api": "^2.1"
. - Currently,
drupal/recommended-project
cannot be installed on Composer 1, becausedrupal/core-composer-scaffold
anddrupal/core-project-message
have dependencies on"composer-plugin-api": "^2"
. - However, currently Drupal 10.0 can be installed on Composer 2.0, and according to #3293811-21: Discuss whether to enforce the Composer 2.3.5 requirement for more than just core development, 6% of new daily installs of Composer 2 continue to be for Composer 2.0 despite that version being EOL and insecure. That number probably includes CI jobs in addition to human users.
- Therefore, if we end up adding Automatic Updates to Drupal 10 core in a future minor version, we risk adding a new requirement (a higher version of Composer) than what 10.0 requires, and some site owners might be surprised by that.
Proposed resolution
Option 1:
Add a "composer-runtime-api": "^2.1"
requirement to Drupal 10.0.x before tagging RC1.
Pros:
- Avoids the cons of options 2 and 3.
Cons:
- For people on Composer 2.0, the error message that Composer would output if Drupal 10.0 requires
"composer-runtime-api": "^2.1"
is user-unfriendly. See #3293811-8: Discuss whether to enforce the Composer 2.3.5 requirement for more than just core development.
Option 2:
Don't add such a requirement for 10.0.x, and wait until the version that adds Automatic Updates to core to do that.
Pros:
- It would keep our composer.json honest. If 10.0 doesn't actually require
"composer-runtime-api": "^2.1"
, then option 1 would in a way be a lie. - It would give another 6 months or more for Composer 2.0 usage to drop still further before adding the requirement for 2.1.
Cons:
- Changing the requirement in a Drupal minor isn't ideal. We wouldn't do that for PHP version or database versions, for example. However, the Composer version is more under the site owner's control than PHP or database versions, so maybe it's more okay.
Option 3:
Don't add such a requirement for 10.0.x, and also don't do it in a 10.x minor, and instead wait until 11.0 to do it. When Automatic Updates is added to Drupal core, remove those composer.json requirements from the module and its dependencies. And instead, enforce the requirement only for enabling the Automatic Updates module.
Pros:
- Avoids hard-breaking Composer 2.0 usage both now and in a Drupal minor version.
Cons:
- It's not idiomatic. I don't think we have other examples in core for core modules or packages that have composer dependencies that are not specified within composer.json.
Remaining tasks
Pick an option.
User interface changes
N/A
API changes
TBD
Data model changes
N/A
Release notes snippet
In anticipation of the forthcoming Automatic Updates feature, for sites that use Composer, Drupal 10 requires a minimum of Composer 2.1 to install and run Drupal.
Comment | File | Size | Author |
---|---|---|---|
#9 | 3313486-9-option1.patch | 1.04 KB | effulgentsia |
|
Comments
Comment #2
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI tagged this as an RC blocker, but all I mean by that is that I think we need to make an explicit decision by then, even if that decision is to make no changes to Drupal core itself for Drupal 10.0.
Comment #3
bbralaComposer 2.2 is lts, which means support until end of 2023, I think we will need to up versions anyways during the minors it seems if we want to use supported versions.
Comment #4
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI updated the title and issue summary for brevity and clarity to hopefully help with getting to a decision.
Comment #5
longwaveInitially I was leaning towards option 3, because I think that is the most flexible; automatic updates is not yet in core, so we technically don't require any version of Composer at runtime, and there is a chance that the Composer version requirement may be increased before it lands, which would mean we would need options 2 or 3 anyway.
But having done some research into other products, they have already added dependencies on
composer-runtime-api:^2.1
and it doesn't seem to have done them any harm.Some Symfony bundles require it already:
https://packagist.org/packages/symfony/framework-bundle
https://packagist.org/packages/symfony/twig-bundle
Typo3 also does: https://packagist.org/packages/typo3/cms-core
Therefore I think option 1 is safe, it sets a baseline for Drupal 10, and should help us to get Automatic Updates in core slightly more easily.
Comment #6
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #7
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAdded pros and cons for each option.
Comment #8
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #9
effulgentsia CreditAttribution: effulgentsia at Acquia commentedHere's the patch for option 1, in case that's what we pick. Options 2 or 3 wouldn't need a patch until Automatic Updates is ready to add to core.
Comment #10
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI think it's different with a requirement on
composer-runtime-api
than with other packages that we update dependencies for. I think it's more similar to a PHP or database version requirement, where we try our best to not raise that requirement in a Drupal minor, even if those versions have already gone EOL. However, site owners have more control over their Composer version than over their PHP and database versions, so we could decide that it's okay to raise the minimum requirement in a Drupal minor, but I don't think that means that we need to always do it whenever Composer versions go EOL.Thank you for that research. That's good to know.
Comment #11
effulgentsia CreditAttribution: effulgentsia at Acquia commentedRemoving extraneous words from issue title.
Comment #12
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #13
Wim Leers#5: 👏 on that research!
Comment #14
alexpottRemade the patch and committed it as it did not apply anymore.
Committed and pushed 13f60d0e6f to 10.1.x and 12490510e7 to 10.0.x. Thanks!
Comment #17
longwaveAdded release note snippet.