Problem/Motivation
In our composer we use ~
often. In the composer doc is says that the caret:
is the recommended operator for maximum interoperability when writing library code.
Furthermore when there is a patch release for a dependency which we'd like to help ensure users using composer to manage their project's dependencies get this will help them. See #2768953: Prevent insecure Guzzle from being installed when using composer to manager your project dependencies.
Proposed resolution
Change composer dependency versions to ^1.2.3 style using the caret. This would also allow for users managing their own dependencies to update to later minor versions when needed (outside of core releases).
Remaining tasks
- Decide if we want to adopt ^1.2.3 style versioning
- Patch composer.json to adjust
User interface changes
n/a
API changes
n/a
Data model changes
n/a
Comment | File | Size | Author |
---|---|---|---|
#21 | 2769841-21.patch | 12.27 KB | alexpott |
#21 | 19-21-interdiff.txt | 856 bytes | alexpott |
#19 | 13-19-interdiff.txt | 8.37 KB | alexpott |
#19 | 2769841-19.patch | 12.27 KB | alexpott |
#13 | interdiff_8-13.txt | 433 bytes | edgewl2 |
Comments
Comment #2
dawehnerDo we potential have to adapt our component composer.json files as well?
Comment #3
alexpottWhy not? Let's review the lot.
Comment #6
geerlingguy CreditAttribution: geerlingguy at Acquia commentedIs this not yet decided? I'm in the 'yes' vote camp... it seems like a lot of Drupal/Composer solutions are already defaulting to that style now.
Comment #7
heddn+1
Is the next step to roll a patch? Tagging novice for that. Let's see what happens when we change to a carrot.
Comment #8
edgewl2 CreditAttribution: edgewl2 commentedCan you check this out? It really can be helpful.
Comment #10
heddnAfter updating to tilde, we need to run
composer update nothing
, or something like that to update the lock file.Comment #11
edgewl2 CreditAttribution: edgewl2 commentedI think this patch has what it takes
Comment #12
edgewl2 CreditAttribution: edgewl2 commentedComment #13
edgewl2 CreditAttribution: edgewl2 commentedCan you check this out?
Comment #14
AjitSComment #15
heddnThis does what is outlined in the IS, by switching to carat (^). Tests are passing. Looks good to me. I also did a quick check, we've got all the composer.json files updated.
Comment #16
Wim Leershttps://en.wikipedia.org/wiki/Carat_(mass) vs https://en.wikipedia.org/wiki/Caret :) Sorry.
Comment #17
alexpottI think this worth adding something to \Drupal\Tests\ComposerIntegrationTest to ensure the tilde does not make a return. It'd be simple to have a patch revert on of these changes and I think ensuring the caret is worth it.
Comment #18
heddnRemoving the Novice tag as adding a test is less easy for a newcomer.
Comment #19
alexpottTesting all the composer.json we have.
Comment #20
heddnI obviously missed a few composer.json files. Good thing for automated testing. But it seems we've caught all the changes now and we have tests.
Comment #21
alexpottRerolled on top of #2876408: Update wikimedia/composer-merge-plugin to ~1.4 in composer.json to match composer.lock
Comment #23
heddnSeems like a random test failure. Back to RTBC.
Comment #25
heddnUnrelated test failure:
Comment #26
catchCommitted/pushed to 8.4.x, thanks!
Comment #28
cilefen CreditAttribution: cilefen commentedComment #29
cilefen CreditAttribution: cilefen commentedThe trouble is that this is letting installs go to Symfony 3.3, which doesn't actually work yet.
Comment #30
cilefen CreditAttribution: cilefen commentedWhat I wrote in #29 is not true and sorry for blaming this issue. "~3.2" is equivalent to "^3.2" in terms of minor version updates. The only way to prevent Symfony minor updates is "~3.2.8". I changed the nature of #2887000: composer.json does not constrain Symfony components to minor and patch versions that are compatible with Drupal accordingly.
Comment #32
cilefen CreditAttribution: cilefen commentedThis issue prevents the use of tildes in composer.json but I feel that is what is really needed for the Symfony components.
Comment #33
cilefen CreditAttribution: cilefen commentedComment #34
cilefen CreditAttribution: cilefen commentedIt wonder if we could test somehow (nightly?) that a
composer update
produces a functioning install.Comment #35
Eric_A CreditAttribution: Eric_A commentedI don't understand what the special symfony cases have to do with the conversion from tilde to caret. The revert to tilde doesn't fix the symfony cases, because we then still have to change the declared version to prevent updates to 3.3.
Shouldn't we just handle the symfony constraints as the exception that they are? Don't we still just want to generally use the recommended operator?
EDIT: you said so much in #2769841-30: Prefer caret over tilde in composer.json but why not recommit or re-RTBC then?
Comment #36
cilefen CreditAttribution: cilefen commentedBecause this patch contains a test preventing tildes.
Comment #37
cilefen CreditAttribution: cilefen commentedOh, are you suggesting modifying the operator constraint in the other issue? Sorry if I misread.
Comment #38
cilefen CreditAttribution: cilefen commentedI am convinced by that argument. Let's get this re-tested and if #2887000: composer.json does not constrain Symfony components to minor and patch versions that are compatible with Drupal ever happens it will have deal with the exception.
Comment #40
cilefen CreditAttribution: cilefen commentedOk, back in it goes! That's a good point in #35. Committed e204c22 and pushed to 8.4.x. Thanks, and sorry for the back-and-forth!
Comment #41
cilefen CreditAttribution: cilefen commentedComment #42
Mile23The composer.json files are a list of dependencies. Version specifications are not optional in may cases.
The changes in this issue result in this outcome:
That is to say: The tildes are there for a reason.
Currently, we don't have a test for this, but we should.
Comment #43
cilefen CreditAttribution: cilefen commentedI think the issue you are referencing is #2887000: composer.json does not constrain Symfony components to minor and patch versions that are compatible with Drupal. The change introduced in this issue does not cause #42. I know because if you revert this, #42 still happens.
Comment #44
Mile23Cool thanks.