When we create a new project using the templates, the current required version says ^8.8 which means that it's impossible to use composer to install a particular version of core, because it will always elevate to 8.9 now that it is out.

We need some way to get an exact core version.

self.version wont work because the verison of 'create project' will be 1.0

So, either we need to generate the templates themselves to have a locked version of core-recommended in them, or we need some other mechanism.

Comments

Mixologic created an issue. See original summary.

Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented
Issue tags: +Composer initiative
greg.1.anderson’s picture

greg.1.anderson commented

Maybe we should change the template projects themselves to contain `~8.8.0`, `~8.9.0`, etc.; that way, if someone runs `composer create-project drupal/recommended-project:~8.8.0`, then they will get the latest `8.8.x` version of drupal/recommended-project, which will also also have `drupal/core-recommended:~8.8.0` as a dependency. If on the other hand they use `^8.8` instead of `~8.8.0` with `create-project`, then they will get the latest 8.x release of drupal/recommended-project, which will be 8.9.0 (if not today, imagine some point in the future when it will), which will have `drupal/core-recommended:~8.9.0`. This would be fairly consistent with how Composer is expected to behave.

The odd part is if someone tries to run `composer create-project drupal/recommended-project:8.7.5` in an attempt to specifically pin drupal/core-recommended to a specific version, then they will still get `drupal/core-recommended:~8.8.0` in their resulting project, because that's what is in every 8.8.x version of the template.

Our other option would be to add a composer post-create-project script to fix up the composer.json of the resulting project after the fact (and then remove itself). However, I am not sure that it's easy to get the constraint the user provided on the create-project commandline at post-create-project time, and in general I am wary about doing that much work to change the basic behavior of Composer. Perhaps we should be satisfied with what we can do with standard features and document the behavior.

ultimike’s picture

ultimike
Primary language English
Location Florida, USA
commented
Status: Active » Closed (won't fix)
Issue tags: +Amsterdam2019

During the DrupalCon Amsterdam contribution sprint, it was discussed that adding a code-based solution was not advantageous for a few reasons. It would be necessary to somehow pass the core version from `composer -n create-project drupal/recommended-project:VERSION` to the require section in order to specify the exact version of drupal/core-recommended. There is no native/easy way to do this with Composer. We discussed possibly doing this via a Composer hook or via a .env file, but neither potential solution was very elegant or Composer-y. Therefore, marking this issue as "Closed (won't fix)".

The current consensus is to provide documentation for users on how to specify an exact version of Drupal core, when necessary.

For example, to use drupal/recommended-project to install the latest stable version of Drupal core, use (once Drupal 8.8 is released):

`composer -n create-project drupal/recommended-project:~8.8.0 my-project`

Similarly, if you want to install the latest dev version (once #3091581: Create generator scripts to customize drupal/recommended-project and drupal/legacy-project per minor Drupal version lands):

`composer -n create-project drupal/recommended-project:~8.8.0@dev my-project`

or

`composer -n create-project drupal/recommended-project:~8.9.0@dev my-project`

**Note to self, check #??? to see if/when a change is made to drupal/recommended project where dependency versions track with the branch.

If you would like to install a specific version of Drupal core for versions prior to 8.8.0,

`composer -n create-project drupal/recommended-project:8.7.5 --no-install my-project; cd my-project; composer require drupal/core-recommended:8.7.5 drupal/core-dev:8.7.5 --update-with-dependencies`

Once #3091579: Remove core-dev from drupal/recommended-project Composer template lands, `drupal/core-dev` doesn't need to be included.

In the future, as maintenance releases of 8.8 are released, the following would be used for a specific 8.8.x version:

`composer -n create-project drupal/recommended-project:8.8.2 --no-install my-project; cd my-project; composer require drupal/core-recommended:8.8.2 drupal/core-dev:8.8.2 drupal/core-composer-scaffold:8.8.2 --update-with-dependencies`

Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented
Status: Closed (won't fix) » Needs work

So.. Im going to reopen this because I had some thoughts.

The reason that we cannot specify an exact version is because we have an additional layer between drupal/recommended-project and drupal/core (drupal/core-recommended).

IIRC this layer was added because the community kept having difficulty upgrading their sites when they had *both* the dev dependencies and drupal/core required, and thus needed people to know that in order to upgrade core, they had to upgrade drupal/core and webflo/drupal-core-require-dev - the goal being to simplify upgrades.

However, it has proven to not be effective in not conflicting with the require-dev in the templates, and as such we've made a separate decision to attempt to remove them in #3091579: Remove core-dev from drupal/recommended-project Composer template, and we've also renamed them to make it easier to dual upgrade core and core-dev at the same time if need be.

So, _perhaps_ the solution to allow for exact versioning is to remove the indirection entirely, and to move the require for drupal/core up to the template project (in drupal/recommended-project and drupal/legacy-project) and out of core-recommended.

The upside is that composer create-project drupal/recommended-project:8.7.5 would give us the exact right version of core specified and not whatever the newest one was.

The downside is that *major version upgrades of core*, which are by definition rare, would then need to include drupal/core-recommended, drupal/core, and drupal/core-dev (if installed).

greg.1.anderson’s picture

greg.1.anderson commented

#5 does not actually help.

... composer create-project drupal/recommended-project:8.7.5 would give us the exact right version of core specified and not whatever the newest one was.

That is not the case. When you run composer create-project drupal/recommended-project:8.7.5, you will get version 8.7.5 of the core-recommended-project. However, all versions of Drupal core-recommended contain drupal/core-recommended: ^8.8. Even if we change this to drupal/core-recommended:~8.8.0 or druapl/core:~8.8.0, the basic behavior will be the same: the version of drupal/core will float.

What we could do is put drupal/core-recommended: 8.7.5 in the 8.7.5 version of drupal/recommended-project. That would make the create-project behave exactly as expected when installing a tag. Unfortunately, it would prevent upgrades for users who were asking for drupal/core-recommended:^8.8, so that solution is no good either.

In order for things to work right for all scenarios, we need the version used on the command line to be copied into the resulting project's composer.json file. The fact that Composer does not provide a facility to do that by default is the crux of the problem.

Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented

Ah, right, Im not sure why I thought the extra layer was causing the float. Call it jetlag.

So, the other option we could use is ship the templates with a composer.lock file that started the template at the specified version.

composer.json would have drupal/core-recommended: ^8.8
and the composer.lock file would have drupal/core-recommended: 8.8.0 for the 8.8.0 version of core/recommended-project

When we talked about making lock files for the templates, it was determined that users would *start* with a known set of deps, but would quickly end up 'out of bounds' on deps that hadnt yet been tested, so we settled on the core-recommended pinned 'direct' dependencies of core to shield end users from upstream changes.

But if we had *both* we could start end users with a specific version of drupal/core-recommended, and then composer update would still work as expected as well. composer require would still be necessary for major version upgrades however, but there's really no way around that need.

Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented
Related issues: +#3085315: Provide instructions on how to use a dev version of drupal/core in a Composer-managed site, +#3091581: Create generator scripts to customize drupal/recommended-project and drupal/legacy-project per minor Drupal version

related grooming

greg.1.anderson’s picture

greg.1.anderson commented

Yeah, I forgot about the composer.lock angle. We should try that.

mile23’s picture

mile23
Primary language English
Location Seattle, WA
commented

The way we should tell people to get a specific version of core using templates is as follows:

$ composer create-project drupal/recommended-project myproject 8.8.*
$ cd myproject
$ composer require core/recommended 8.8.0 --update-with-all-dependencies

Here's a variation that works with current releases (we're at beta1):

$ composer create-project -s dev drupal/recommended-project myproject 8.8.*
# See:   - Installing drupal/core-recommended (8.8.0-beta1)
$ cd myproject/
$ composer require drupal/core-recommended:8.8.0-alpha1 --update-with-all-dependencies
# See:   - Downgrading drupal/core-recommended (8.8.0-beta1 => 8.8.0-alpha1)

Now the user understands how these pieces work together, and understands how they can get updates to core by either requiring the specific patch version, or changing to ~8.8.

Adding a lock file and all that other stuff only complicates matters unnecessarily.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

karimb’s picture

karimb commented

Btw, just tested composer create-project drupal/recommended-project:^8.9 myproject to download Drupal 8.9.1

It seems working like a charm so far.

greg.1.anderson’s picture

greg.1.anderson commented
Status: Needs work » Closed (duplicate)

This was fixed in the Drupal.org infrastructure subtree splitter, subtree-splitter#2.