Problem/Motivation
composer outdated -D
on PHP 7.0.8 shows various php libraries are outdated.
Remaining tasks
Create a patch.
Review.
Commit.
Rejoice
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
The following Drupal core Composer dependencies have been updated:
- Symfony packages (from 3.4.26 to 3.4.32).
- Twig (from 1.38.4 to 1.42.3).
- Guzzle (from 1.4.2 to 1.6.1).
- Email validator (from 2.1.7 to 2.1.11).
- PSR Logging Library (from 1.0.2 to 1.1.0).
- PHP Codesniffer (from 3.4.2 to 3.5.0).
- Doctrine packages (to the latest minor versions).
- Pear packages (to the latest minor versions).
- Zend Escaper, Zend Feed, and Zend stdlib (to 2.6.1, 2.12.0, and 3.2.1, respectively).
- Composer packages (to the latest minor versions).
The following PHP5 polyfills have been removed: ircmaxell/password-compat
, brumann/polyfill-unserialize
, and paragonie/random_compat
(technically updated to an empty version which will remain in place until Drupal 9).
Finally, ralouphie/getallheaders
has been added because the latest version of Guzzle requires this dependency.
symfony/*
components have been updated from 3.4.26 to 3.4.32
symfony/polyfill*
polyfills have been updated from 1.11.0 to 1.12.0.
Other updates are listed below:
+------------------------------+---------+----------+
| Production Changes | From | To |
+------------------------------+---------+----------+
| brumann/polyfill-unserialize | v1.0.3 | REMOVED |
| composer/installers | v1.6.0 | v1.7.0 |
| doctrine/annotations | v1.2.7 | v1.4.0 |
| doctrine/collections | v1.3.0 | v1.4.0 |
| doctrine/common | v2.6.2 | v2.7.3 |
| doctrine/inflector | v1.1.0 | v1.2.0 |
| doctrine/lexer | v1.0.1 | 1.0.2 |
| egulias/email-validator | 2.1.7 | 2.1.11 |
| guzzlehttp/psr7 | 1.4.2 | 1.6.1 |
| paragonie/random_compat | v2.0.18 | v9.99.99 |
| pear/archive_tar | 1.4.6 | 1.4.7 |
| pear/console_getopt | v1.4.1 | v1.4.2 |
| pear/pear-core-minimal | v1.10.7 | v1.10.9 |
| psr/log | 1.0.2 | 1.1.0 |
| twig/twig | v1.38.4 | v1.42.3 |
| typo3/phar-stream-wrapper | 2.1.2 | 3.1.2 |
| zendframework/zend-diactoros | 1.4.1 | 1.7.2 |
| zendframework/zend-escaper | 2.5.2 | 2.6.1 |
| zendframework/zend-feed | 2.7.0 | 2.12.0 |
| zendframework/zend-stdlib | 3.0.1 | 3.2.1 |
| ralouphie/getallheaders | NEW | 3.0.3 |
+------------------------------+---------+----------+
+-----------------------------------+---------+---------+
| Dev Changes | From | To |
+-----------------------------------+---------+---------+
| composer/ca-bundle | 1.1.4 | 1.2.4 |
| composer/composer | 1.8.5 | 1.9.0 |
| composer/spdx-licenses | 1.5.1 | 1.5.2 |
| instaclick/php-webdriver | 1.4.5 | 1.4.6 |
| ircmaxell/password-compat | v1.0.4 | REMOVED |
| mikey179/vfsstream | v1.6.5 | v1.6.7 |
| phpdocumentor/reflection-docblock | 2.0.4 | 4.3.2 |
| phpspec/prophecy | v1.7.0 | 1.9.0 |
| sebastian/exporter | 3.1.0 | 3.1.2 |
| squizlabs/php_codesniffer | 3.4.2 | 3.5.0 |
| symfony/css-selector | v3.4.26 | v3.4.32 |
| symfony/dom-crawler | v3.4.26 | v3.4.32 |
| symfony/filesystem | v3.4.31 | v3.4.32 |
| symfony/finder | v3.4.31 | v3.4.32 |
| symfony/lock | v3.4.31 | v3.4.32 |
| symfony/phpunit-bridge | v3.4.26 | v3.4.32 |
| theseer/tokenizer | 1.1.2 | 1.1.3 |
| phpdocumentor/reflection-common | NEW | 1.0.1 |
| phpdocumentor/type-resolver | NEW | 0.5.1 |
| webmozart/assert | NEW | 1.5.0 |
+-----------------------------------+---------+---------+
Comment | File | Size | Author |
---|---|---|---|
#52 | 3039611-3-52.patch | 105.69 KB | alexpott |
#52 | 48-52-interdiff.txt | 4.87 KB | alexpott |
#48 | 3039611-48.patch | 110.25 KB | alexpott |
#47 | drupal-3039611-47.patch | 49.16 KB | kostyashupenko |
#45 | drupal-3039611-45.patch | 49.25 KB | jibran |
Comments
Comment #1
jibranjibran created an issue. See original summary.
Comment #2
jibranUpdated everything other than
masterminds/html5
.Comment #3
jibranComment #5
alexpottI think we should have an issue to update 8.7.x first. A number of these updates should be in 8.7.0
Comment #6
alexpott@jibran++ just saw - #3032693: Update core PHP dependencies before 8.7.0
Comment #7
jibranRemoved twig as it is getting updated in #3039408: Updating twig/twig to v1.38.0 or v1.38.1 causes fatal error
Comment #9
cilefen CreditAttribution: cilefen as a volunteer commentedLet's be specific.
Comment #10
pandaski CreditAttribution: pandaski at govCMS (Australian Government Department of Finance) commented#7 is having an error
Already fixed in Issue #3039408
Commit:
82fed91529e39c376deb67af2a33202934dd0e6c [82fed91529]
Comment #11
jibranRemaining
Comment #12
bojanz CreditAttribution: bojanz at Centarro commentedCan we remove paragonie/random_compat completely? It's now a no-op.
Comment #13
jibranI removed it from core/composer.json but
and
Comment #14
jibranComment #16
jibrantwig update strikes again.
Comment #17
jibranCreated #3040037: Update masterminds/html5 to 2.7.5 for updating
masterminds/html5
Comment #18
jibranRepurposed #3032695: Manually test Drupal 8 with Twig 2 for twig update.
Comment #20
jibranTwig issue is now #3041076: Update Drupal 9 to Twig 2
Comment #21
alexpottLet's postpone this on #3032693: Update core PHP dependencies before 8.7.0 as we need to do that first.
Comment #22
jibranComment #23
jibranBlocker is in so rerolling.
Comment #24
jibranComment #25
alexpottThe release managers have requested that php 5 testing should only be dropped from 8.8.x once 8.7.0 is out.
Comment #27
jibranThe last fail is on
/router_test/test23
:We have two choices:
symfony/psr-http-message-bridge
to1.2.0
which requires PHP 7.1.Given that 1 is not a possibility at this time I'd say we should wait for 2 and meanwhile we can stick with
zendframework/zend-diactoros:1.4.1
and create a followup to updatezendframework/zend-diactoros:1.8.6
.Comment #28
jibranWe can update it to 1.7.2
Comment #29
jibranCorrect interdiff.
Comment #30
Mile23In an ideal world, we'd know that both Gettext and Utility require PHP 7, and so therefore it's fair to require external users to update to PHP 7 to use our libraries if they want 8.8.x goodness.
Of course it seems unlikely that anyone is using these libraries other than us, because collectively we are apathetic to their actual requirements. My guess is that they do not actually require PHP 7, unless someone rewrote them in the past few weeks.
Until someone can prove to me that these component requirements are real and not a guess, I will mark patches as NW. Limit the scope here to drupal/core and this limitation is magically lifted. You can start by looking at #2876669: Fix dependency version requirement declarations in components and figuring out how to turn that into a drupalci.yml-based test.
Comment #31
jibran#3045483: Incompatibility between zend-diactoros and psr-http-message-bridge versions: require symfony/psr-http-message-bridge >=1.1.2 to address #27.
RE: #30
Yes, your observation is correct but 8.8.x will require PHP7 so if you want to use 8.8.x goodness provided by the components you should use PHP7 as well. This is as simple as that imo. I'll let the framework manager chip in here.
Comment #32
jibranActually, it is release manager thing so going to add a tag. Can you please share your opinion on #30?
Comment #33
Mile23Which specific parts of, for instance, drupal/core-utility 8.8.x goodness requires PHP 7 and not PHP 5?
Here is a repo which tests all components in isolation on travis-ci: https://github.com/paul-m/drupal_component_tester
I just updated it to use the 8.8.x branch. It uses the patch from #2876669-55: Fix dependency version requirement declarations in components
I predict the PHP 5 run for drupal/core-utilities will pass. Let's find out together: https://travis-ci.org/paul-m/drupal_component_tester
Update: It didn't get that far. drupal/core-bridge looks like it has some dependency issues to contend with first.
Update II: Now passing after accounting for a mistake in #2755401: Upgrade EmailValidator to 2.x https://travis-ci.org/paul-m/drupal_component_tester/jobs/516386787#L3079
I suggest this issue keep to the scope of drupal/core, and then follow-up with #2876669: Fix dependency version requirement declarations in components so that our components are honest about their requirements.
Comment #34
Mile23Here's drupal/core-annotation from 8.8.x passing tests in PHP 5.6: https://travis-ci.org/paul-m/drupal_component_tester/jobs/516363606#L650
Components are different projects. They're not core.
Comment #35
jibranI'd disagree with this statement.
Comment #36
jibranReroll
Comment #37
jibranIs it the right way to pin the max version? This can be updated in #3045483: Incompatibility between zend-diactoros and psr-http-message-bridge versions: require symfony/psr-http-message-bridge >=1.1.2.
Comment #38
Mile23Still contains arbitrary changes to component constraints when those changes should be handled in #2876669: Fix dependency version requirement declarations in components
Comment #39
jibranComponents are also being updated in #3053363: Remove support for PHP 5 in Drupal 8.8.
Comment #40
jibranPlatform requirement has been changed in #3053363: Remove support for PHP 5 in Drupal 8.8 so no need for RM review.
Comment #41
jibranComment #42
xjmThis is a major version update; what's the scoop on BC breaks? Is the old major version still supported? This also might be a good time to fill out https://www.drupal.org/core/dependencies#phar if they're on their third major version within a year.
Also release note is definitely not "N/A"; we list this information for people because it might break things if they're implementing or extending a dependency directly. :)
Comment #43
alexpottNice catch on the phar-stream-wrapper - as this is about a registered stream wrapper there isn't really an API that we're using as such. However...
we're affected by the use of scalar typehints.
In an ideal world we wouldn't be overriding PharExtensionInterceptor but we have to to not break drush when drush is run via a phar (not the recommended way anymore). The only reason phar-stream-wrapper v2 exists is to support PHP5. v3 was the original implementation that was PHP7 only.
I think the best path here is to leave phar-stream-wrapper on v2 and handle it in its own issue. The fact that we have to change code makes that the best path.
Comment #44
alexpottNote I think we should commit #3058116: Remove paragonie/random_compat as a top-level dependency from 8.8.x before this one as handling removals on themselves seems a good idea too.
Comment #45
jibranAdressed #43 and #44.
Comment #46
jibranComment #47
kostyashupenkoComment #48
alexpottHere's a reroll - plus I removed the removal of the iconv polyfill - it's perfectly possible something in contrib is relying on this. Somehow
ircmaxell/password-compat
has got back in. That's wrong it is totally not required in PHP 7.With the patch applied...
Note this is adding a package from a new provider... guzzlehttp/psr7 1.6.1 requires ralouphie/getallheaders (^2.0.5 || ^3.0.0) hmmm....
Mind you anyone who runs composer update on their site gets this...
/me is so bored of maintaining the composer.lock file.
Comment #49
alexpottThe other new installs in #48 are due to phpspec/prophecy...
Comment #50
jibrancomposer outdated -D
showsbehat/mink-selenium2-driver dev-master 8684ee4 dev-master 3ab9f31 Selenium2 (WebDriver) driver for Mink framework
can be updated.Comment #51
jibranAs per https://github.com/minkphp/MinkSelenium2Driver/compare/8684ee4...3ab9f31 they moved from 1.3.x-dev to 1.4.x-dev so yeah it is correctly ignored.
We need to downgrade
masterminds/html5
though as per #3040037: Update masterminds/html5 to 2.7.5.Comment #52
alexpottSo the attached patch results in doing the following to a site with #48 applied
I reckon we shouldn't update jcalderonzumba as well because that's all PhantomJS stuff that's deprecated a fragile. Thanks for the thorough review @jibran.
Applying this patch on 8.8.x HEAD and running composer install...
Comment #53
jibranThis looks good now. Thanks, for addressing the feedback.
Comment #54
alexpott@jibran how did you generate those reports - they look great!
Comment #56
catchCommitted fd8dbd5 and pushed to 8.8.x. Thanks!
Comment #57
jibran@alexpott https://packagist.org/packages/davidrjonas/composer-lock-diff
Comment #58
xjmOur dependency updates should always go in the release notes, so let's remember to tag such issues in the future.
The release note isn't really legible as it is -- we don't need to list every Symfony component, for example; we should just have one bullet in a bulleted list that says "Symfony updated from 3.4.26 to 3.4.32". And etc.
Also, unrelatedly, I'm not sure the Diactoros update in this issue is the one we want. Shouldn't we be using the LTS version now that we can? Which AFAIK is 1.7. 1.8 already is out of security support. See: https://framework.zend.com/long-term-support
Comment #59
xjmI filed #3087531: Use Diactoros LTS version 1.7, not 1.8 which is out of security coverage for the second point. If someone could reformat the release note though that's still needed for the alpha though. :)
Comment #60
xjmAlso, what issue added
getallheaders
? That deserves a separate mention. Unless a dependency added it as a new requirement?Comment #61
jibranguzzlehttp/psr7
addedralouphie/getallheaders
package.I updated the release note. Please have a look.
Comment #62
jibranShould we just list the direct dependencies in release notes?
Comment #63
alexpott#3087531: Use Diactoros LTS version 1.7, not 1.8 which is out of security coverage landed so the release note here might need an update.
Comment #64
catchUpdated the diactoros version in the release notes snippet, and summarised the symfony updates instead of listing them all.
Moving back to fixed.
Comment #65
alexpottUpdated the release note for #3087997: Update typo3/phar-stream-wrapper to PHP7 only version
Comment #66
alexpottComment #67
alexpottComment #68
xjmRefining the release note.
Comment #69
xjm"The latest minor versions" is not true for Zend libraries because of the Diactoros LTS. That has its own release note, so changing it to list the other three packages.
Also adding an "additionally" for
ralouphie/getallheaders
. (I didn't list the new dev dependencies because it'd be mostly noise.)Comment #71
xjmClarifying what's up with the Paragonie library and crediting @larowlan for helping me figure that out.
Comment #72
xjmComment #73
xjmComment #74
mondrakeI think this needs a follow up, to update composer.json and core/composer.json constraints for two packages:
mikey179/vfsstream: ^1.6.7
egulias/email-validator: ^2.1.11
These are the minimum PHP 7.4 supported versions, and if later we want to run MIN testing on PHP 7.4, with the current constraints composer will load an incompatible version.
Comment #75
alexpott@mondrake -let's handle that in another issue thanks!
Comment #76
mondrakeFiled #3088442: Update composer constraints for mikey179/vfsstream and egulias/email-validator.