Ban 1.0 conflicts with composer requires for Drupal 10

What version constraint do these modules have?

FYI: Tugboat would need a composer.json to work as expected: #3578788: Add composer.json & tugboat support for easier manual review and testing in issues (Slightly off-topic but related, if we introduce one)

I think this works as designed. If you want to support 10 and 11 in the same release then use core ban. Otherwise bump the minimum to 11 and use contrib. If the other maintainers want to provide 10.x support they could do that in 1.1.0 but since the subtree split was from 11 that is untested.

We have the same problem with https://www.drupal.org/project/suspect_blocker module. It requires core ban module:

name: 'Suspect Blocker'
type: module
description: 'Blocks IPs that attempt to access multiple URLs repeatedly within a short time.'
core_version_requirement: ^10 || ^11
package: Security
dependencies:
  - syslog
  - ban
configure: suspect_blocker.settings
links:
  help: help.page.suspect_blocker

But the problem is that packagist applies dependency on contrib drupal/ban and if you run composer show drupal/suspect_blocker -a, you can see it:

name     : drupal/suspect_blocker
descrip. : The Suspect Blocker module is a security tool for Drupal that detects and blocks suspicious behavior, such as brute force or flood attacks, by monitoring requests resulting in errors like 403 or 404.
keywords : Drupal
versions : 1.x-dev, 1.0.x-dev, 1.0.0-alpha2, 1.0.0-alpha1, dev-1.x, dev-1.0.x
type     : drupal-module
license  : GNU General Public License v2.0 or later (GPL-2.0+) (OSI approved) https://spdx.org/licenses/GPL-2.0+.html#licenseText
homepage : https://www.drupal.org/project/suspect_blocker
source   : [git] https://git.drupalcode.org/project/suspect_blocker.git 3867ce8ee301e17b17e025a5c6c60b10ebef8677
dist     : []
names    : drupal/suspect_blocker

support
source : http://cgit.drupalcode.org/suspect_blocker
issues : https://www.drupal.org/project/issues/suspect_blocker

requires
drupal/ban *
drupal/core ^10 || ^11.1

conflicts
drupal/ban *

This basically prevents us from installing the module on D10 or D11 for that matter:

Problem 1
    - Root composer.json requires drupal/suspect_blocker 1.x-dev@dev -> satisfiable by drupal/suspect_blocker[1.x-dev (alias of dev-1.x)].
    - drupal/ban[dev-1.0.x, dev-1.1.x, 1.0.0, ..., 1.1.x-dev] require drupal/core ^11.2 || ^12 -> found drupal/core[dev-main, 11.2.0-alpha1, ..., 11.x-dev, 12.x-dev (alias of dev-main)] but the package is fixed to 10.3.14 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
    - drupal/suspect_blocker dev-1.x requires drupal/ban * -> satisfiable by drupal/ban[dev-1.0.x, dev-1.1.x, 1.0.0, 1.0.x-dev, 1.1.x-dev].
    - drupal/suspect_blocker 1.x-dev is an alias of drupal/suspect_blocker dev-1.x and thus requires it to be installed too.

I'm not sure if this is the issue for Ban module or Packagist. The fix, suggested by @pcambra, does help out.

@sardis that's on https://www.drupal.org/project/suspect_blocker.

You should create a dedicated Drupal 10 release which doesn't require the ban module in the composer.json and only requires the ban (core) module in the info.yml.

Then create another D11 release, which requires ban (contrib) in the composer and info file.

"replace" won't do aynthing here, since ban (contrib) only supports D11.

I don't think #8 is accurate, there is no composer dependency on drupal/ban in the source of suspect_blocker. Most likely the composer facade is adding the dependency. I think the outcome is still the same though unfortunately.

@mstrelan, seems I missread the composer.json, but yea same outcome. Explicit dependency on "drupal/ban" for the D11 version and explicitly removing the "replace" section and NOT requiring "drupal/ban" for the D10 version should fix the issue.

Unsure why this was reopened? Not much we can do here.

Thanks for your suggestions, guys! Will try it out and come back if they don't work.