Problem/Motivation

Yes, there's no alpha release yet!
Yes, it's probably too early for this!
Yes, it's an ever moving target!

I'm going to do it anyway, even if it isn't committed right away.
If we hit any major issue, this way, we have time to actually think/discuss and fix them and not be pressure-hurried by a release date.
</End of smugness>

We should release 10.4.0-beta1 on the latest dependencies.

Steps to reproduce

$ composer outdated

Proposed resolution

$ composer update

Remaining tasks

- Decide if we need to document the new dev-dependencies introduced by the update of open-telemetry/sdk
Confirmed by multiple core committers: No we don't.
- Decide if we want to make the major jump to 2.x for PHPStan in the 10.x branch

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#10 3486545-nr-bot.txt91 bytesneeds-review-queue-bot

Issue fork drupal-3486545

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

spokje created an issue. See original summary.

spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes

spokje opened merge request !10121

spokje’s picture

spokje
Primary language Dutch
commented 
$ composer-lock-diff --no-links
+---------------------------------+---------+---------+
| Production Changes              | From    | To      |
+---------------------------------+---------+---------+
| composer/installers             | v2.2.0  | v2.3.0  |
| doctrine/annotations            | 1.14.3  | 1.14.4  |
| guzzlehttp/guzzle               | 7.8.1   | 7.9.2   |
| guzzlehttp/promises             | 2.0.2   | 2.0.4   |
| guzzlehttp/psr7                 | 2.6.2   | 2.7.0   |
| mck89/peast                     | v1.16.2 | v1.16.3 |
| symfony/console                 | v6.4.12 | v6.4.15 |
| symfony/dependency-injection    | v6.4.7  | v6.4.15 |
| symfony/error-handler           | v6.4.7  | v6.4.14 |
| symfony/event-dispatcher        | v6.4.7  | v6.4.13 |
| symfony/filesystem              | v6.4.12 | v6.4.13 |
| symfony/finder                  | v6.4.11 | v6.4.13 |
| symfony/http-foundation         | v6.4.7  | v6.4.15 |
| symfony/http-kernel             | v6.4.7  | v6.4.15 |
| symfony/mailer                  | v6.4.7  | v6.4.13 |
| symfony/mime                    | v6.4.7  | v6.4.13 |
| symfony/polyfill-iconv          | v1.29.0 | v1.31.0 |
| symfony/polyfill-intl-idn       | v1.29.0 | v1.31.0 |
| symfony/polyfill-php83          | v1.29.0 | v1.31.0 |
| symfony/process                 | v6.4.12 | v6.4.15 |
| symfony/psr-http-message-bridge | v6.4.7  | v6.4.13 |
| symfony/routing                 | v6.4.7  | v6.4.13 |
| symfony/serializer              | v6.4.7  | v6.4.15 |
| symfony/string                  | v6.4.12 | v6.4.15 |
| symfony/validator               | v6.4.7  | v6.4.15 |
| symfony/var-dumper              | v6.4.7  | v6.4.15 |
| symfony/var-exporter            | v6.4.7  | v6.4.13 |
| symfony/yaml                    | v6.4.7  | v6.4.13 |
+---------------------------------+---------+---------+

+------------------------------------+----------+----------+
| Dev Changes                        | From     | To       |
+------------------------------------+----------+----------+
| composer/ca-bundle                 | 1.5.2    | 1.5.3    |
| composer/composer                  | 2.8.1    | 2.8.2    |
| composer/pcre                      | 3.3.1    | 3.3.2    |
| drupal/coder                       | 8.3.24   | 8.3.25   |
| lullabot/mink-selenium2-driver     | v1.7.2   | v1.7.4   |
| lullabot/php-webdriver             | v2.0.4   | v2.0.6   |
| mglaman/phpstan-drupal             | 1.2.11   | 1.3.1    |
| myclabs/deep-copy                  | 1.12.0   | 1.12.1   |
| nikic/php-parser                   | v5.2.0   | v5.3.1   |
| php-http/httplug                   | 2.4.0    | 2.4.1    |
| phpdocumentor/reflection-docblock  | 5.4.0    | 5.6.0    |
| phpdocumentor/type-resolver        | 1.8.2    | 1.10.0   |
| phpstan/extension-installer        | 1.3.1    | 1.4.3    |
| phpstan/phpdoc-parser              | 1.29.0   | 1.33.0   |
| phpstan/phpstan                    | 1.12.6   | 1.12.10  |
| phpstan/phpstan-deprecation-rules  | 1.2.0    | 1.2.1    |
| phpstan/phpstan-phpunit            | 1.4.0    | 1.4.1    |
| sirbrillig/phpcs-variable-analysis | v2.11.18 | v2.11.19 |
| squizlabs/php_codesniffer          | 3.9.2    | 3.11.0   |
| symfony/browser-kit                | v6.4.7   | v6.4.13  |
| symfony/css-selector               | v6.4.7   | v6.4.13  |
| symfony/dom-crawler                | v6.4.7   | v6.4.13  |
| symfony/lock                       | v6.4.7   | v6.4.13  |
| symfony/phpunit-bridge             | v6.4.7   | v6.4.13  |
| webflo/drupal-finder               | 1.3.0    | 1.3.1    |
+------------------------------------+----------+----------+
spokje’s picture

spokje
Primary language Dutch
commented

So

1) There are some new dev-dependencies, which is why 2 additions to the cspell dictionary are present.
2) One of these new dev-dependencies, tbachert/spi, needs permission to be in allow-plugins.
3) We bumped mglaman/phpstan-drupal, which made 4 suppression disappear in the baseline. (See https://github.com/mglaman/phpstan-drupal/issues/780)
Because this baseline won't pass with any version lower than 1.2.12, I bumped to this version as the minimum in composer.json

spokje’s picture

spokje
Primary language Dutch
commented
Related issues: +#3478895: Document new Composer plugin tbachert/spi required by core-dev, +#3484463: Upgrade open-telemetry packages for PHP 8.4

Regarding 2) from the previous comment, there are already issues open about that: #3478895: Document new Composer plugin tbachert/spi required by core-dev and #3484463: Upgrade open-telemetry packages for PHP 8.4.

spokje’s picture

spokje
Primary language Dutch
commented

Besides tbachert/spi, I see four more new dev-dependencies:

1) brick/math:

$ composer why brick/math
ramsey/uuid 4.7.6 requires brick/math (^0.8.8 || ^0.9 || ^0.10 || ^0.11 || ^0.12)

2) nyholm/psr7-server:

$ composer why nyholm/psr7-server
open-telemetry/sdk 1.1.2 requires nyholm/psr7-server (^1.1)

3) ramsey/collection:

$ composer why ramsey/collection
ramsey/uuid 4.7.6 requires ramsey/collection (^1.2 || ^2.0)

4) ramsey/uuid

$ composer why ramsey/uuid
open-telemetry/sdk 1.1.2 requires ramsey/uuid (^3.0 || ^4.0)
ramsey/uuid        4.7.6 replaces rhumsaa/uuid (self.version)

So every one of the five new dev-dependencies come from open-telemetry/sdk.

Do we need to document this/all of the dependencies individually/ignore this completely?

EDIT: Hmmm, looking at https://www.drupal.org/about/core/policies/core-dependency-policies-and-... we:
a) are hopelessly behind on our current documentation.
b) trying to document all 5(?) current branches is going to be a slight nightmare.
c) also seem to have JS dependencies in that page (PostCSS)
d) seem to only document our direct dev-dependencies.

If d) is true, there won't be a need to document the new sub-dependencies IMHO.

spokje’s picture

spokje
Primary language Dutch
commented
Assigned: spokje » Unassigned
Issue summary: View changes
Status: Active » Needs review
spokje’s picture

spokje
Primary language Dutch
commented
Related issues: +#3486713: Bump PHPStan to version 2.0.4
needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 3486545-nr-bot.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
Status: Needs work » Needs review
Issue tags: +no-needs-review-bot

Bad bot, get out!

Also: Do we want/are allowed to make the major jump to 2.x for PHPStan in the 10.x branch?

spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
spokje’s picture

spokje
Primary language Dutch
commented

Rebased and updated #4

andypost’s picture

andypost
he/him
Primary language Russian
commented
Issue tags: +PHP 8.4
Related issues: +#3427903: [META] Make Drupal 10/11 compatible with PHP 8.4
andypost’s picture

andypost
he/him
Primary language Russian
commented

Rebased after #3484463: Upgrade open-telemetry packages for PHP 8.4 and updated bit more, looks ready to go

+-----------------------------------+--------+---------+
| Dev Changes                       | From   | To      |
+-----------------------------------+--------+---------+
| composer/pcre                     | 3.3.1  | 3.3.2   |
| phpdocumentor/reflection-docblock | 5.5.1  | 5.6.0   |
| phpstan/phpstan                   | 1.12.9 | 1.12.10 |
| phpstan/phpstan-phpunit           | 1.4.0  | 1.4.1   |
| squizlabs/php_codesniffer         | 3.10.3 | 3.11.0  |
+-----------------------------------+--------+---------+
spokje’s picture

spokje
Primary language Dutch
commented

Thanks @andypost!

Of course this is an ongoing battle: https://github.com/symfony/symfony/releases/tag/v6.4.15

Updated MR and #4

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Reviewed & tested by the community

Let's get it in and unblock PHP 8.4

andypost’s picture

andypost
he/him
Primary language Russian
commented

Guzzle update is the only requirement for PHP 8.4 compatibility

Pushed bit more

+------------------------------+---------+---------+
| Production Changes           | From    | To      |
+------------------------------+---------+---------+
| symfony/console              | v6.4.14 | v6.4.15 |
| symfony/dependency-injection | v6.4.13 | v6.4.15 |
| symfony/http-foundation      | v6.4.14 | v6.4.15 |
| symfony/http-kernel          | v6.4.14 | v6.4.15 |
| symfony/process              | v6.4.14 | v6.4.15 |
| symfony/serializer           | v6.4.13 | v6.4.15 |
| symfony/string               | v6.4.13 | v6.4.15 |
| symfony/validator            | v6.4.14 | v6.4.15 |
| symfony/var-dumper           | v6.4.14 | v6.4.15 |
| twig/twig                    | v3.14.2 | v3.15.0 |
+------------------------------+---------+---------+

+---------------------------+---------+---------+
| Dev Changes               | From    | To      |
+---------------------------+---------+---------+
| composer/composer         | 2.8.2   | 2.8.3   |
| phpstan/phpstan           | 1.12.10 | 1.12.11 |
| squizlabs/php_codesniffer | 3.11.0  | 3.11.1  |
+---------------------------+---------+---------+
andypost’s picture

andypost
he/him
Primary language Russian
commented

reverted twig to 3.14.2 as it breaks a lot of tests

andypost’s picture

andypost
he/him
Primary language Russian
commented

Filed #3488365: Upgrade twig/twig to 3.15.0

andypost’s picture

andypost
he/him
Primary language Russian
commented

And one more #3488401: upgrade prophecy to 1.20

  • catch committed d53638c7 on 10.4.x 
    Issue #3486545 by spokje, andypost: Update Composer dependencies for 10....

  • catch committed a68df986 on 10.5.x 
    Issue #3486545 by spokje, andypost: Update Composer dependencies for 10....
catch’s picture

catch
he/him
Primary language English
commented
Version: 10.5.x-dev » 10.4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 10.5.x and 10.4.x, thanks!

catch closed merge request !10121

quietone’s picture

quietone commented

The requirement for documentation for dependencies recently changed. As @spokje points out keeping it up to date is a 'slight nightmare'. The information links for all dependencies do not need to be documented in the 'Current PHP dependencies' or the 'Current Javascript dependencies' pages. Only those are are "large security or API surface" need to be documented. For the rest, we can now use the data provided in the issue, using a new tag 'approved dependency evaluation'. See issues tagged "approved dependency evaluation".

This is explained in Dependency information links.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.