[policy, no patch] Add a more integrated process for adding rector rules for deprecations

The only concern/problem I would have with the Rector rules going into Drupal core, is that Drupal doesn't define much in its Composer autoload definition. We'd need to decide on the namespace.

If it's Drupal\Core\Rector we're fine.

Maybe it's be \Drupal\Component\Recotr and still fine.

I think having the rules in core is a good idea.

We'd need to namespace them (or otherwise) by version so that we can easily remove ones from previous releases.

At least initially, but maybe permanently, I think they should be follow-ups rather than block commits. Sometimes introducing a deprecation is the point of an issue (like refactoring a procedural function to a class), but often it's not - critical bug fixes and all kinds of other issues have to introduce deprecations too, and getting those issues fixed should take precedence over automating things for contrib developers.

We also currently do a lot of best-effort deprecations like constructor parameters which we don't actually offer bc for, just to avoid breaking contrib in minor releases, and don't require deprecation testing for those, so I think those also shouldn't be rector rules at all.

Also in general wondering if there's a way to prioritise writing rules by contrib usage - sometimes we deprecate stuff that's used by literally one contrib module and it'd be quicker to directly write the patch than write the rector rule to generate an automated patch for it.

Do think it would be a good idea to start this while it's still possible to individually open issues for 10.1.x deprecations and keep up with it from there, even if it's just opening the core issues.

I think it's a good idea to have the issues and create a policy that requires the creation of a related issues regarding a fix thorugh rector. I agree though that this would not be needed for every single deprecation. Although that might be something to be discussing in that issue to keep the process simple.

With the introduction of gitlab we should be able to find out if there are many uses of deprecated api's in some cases, but not in all since the pattern is sometimes way to complicated to search in gitlabs search.

In relation to this, @mglaman mentioned that drupal-rector is relatively unstable because it is not part of the testing suite of rector whereas other frameworks are. This might be something to investigate, although kinda out of scope of this issue.

There has also been some discussion around this in slack. Pasting for proteriety sake. (sorry for the wall of text)

Gábor Hojtsy (he/him)
  21 hours ago
:two: Based on the current contrib readiness process, what could we improve for the future Drupal 11 transition of contrib modules?


Gábor Hojtsy (he/him)
  21 hours ago
@mglaman
 raised this earlier, I slightly rephrased it


Björn Brala (bbrala)
  21 hours ago
No link to the other thread? :slightly_smiling_face:





Björn Brala (bbrala)
  21 hours ago
Might be on purpose? (edited) 


mglaman
  21 hours ago
Run the update bot more often. Long living issues are kind of annoying. Maybe when we’re more GitLab it can just deliver MRs like dependabot/rennovatebot
:this:
2



Gábor Hojtsy (he/him)
  21 hours ago
Nah, prior thread was https://drupal.slack.com/archives/C014CT1CN1M/p1660836410738219


mglaman
:reminder_ribbon: for the next meeting, we should discuss a policy change for DrupalCI to always fail on detected deprecations in contrib instead of making it an opt-in process. I feel like we would have less technical debt for major version upgrades.
Thread in d10readiness | Aug 18th | View message


mglaman
  21 hours ago
Rector rules need to support backward compatibility shims. If a deprecation comes out in 9.3 folks are realistically still on 9.1 for 30 days+ from 9.3 release


Gábor Hojtsy (he/him)
  21 hours ago
@mglaman
 yeah it will be forced to produce MRs


mglaman
  21 hours ago
Change records need corresponding phpstan-drupal and drupal-rector issues. Core periodically commits code with only runtime deprecation detection. Or something can only be runtime and phpstan-drupal needs custom code.
:+1:
1



mglaman
  21 hours ago
drupal-rector is currently reactionary in fixes to Drupal core. No idea how we scale that project unless someone magically got paid fulltime to work on it


Björn Brala (bbrala)
  21 hours ago
 Run the update bot more often. Long living issues are kind of annoying. Maybe when we’re more GitLab it can just deliver MRs like dependabot/rennovatebot
This is how I envision this working tbh. But that means it would run on a project basis which does mean WAAAAY more net resources are needed. i think.


mglaman
  21 hours ago
That’s the hard part. More resources.


Björn Brala (bbrala)
  21 hours ago
Well, compute resources i mean in that comment.


mglaman
  21 hours ago
And we need contrib to have weekly (or I still think on regular flow) fails for calling deprecated code


Björn Brala (bbrala)
  21 hours ago
Well thats what the bot is doing right now.


Björn Brala (bbrala)
  21 hours ago
And it should just not stop


mglaman
  21 hours ago
Everything about major version upgrades happens too late. The feedback cycle is too long from Core -> Contrib consumptions


Björn Brala (bbrala)
  21 hours ago
But we do need a way around the 
@tedbow
 factor if we want to post patches more regurarly and throughout the lifecylce.


tedbow
  21 hours ago
yep. I don't want to people the bottle neck but it is also not my main thing I am working on these days (edited) 


Björn Brala (bbrala)
  21 hours ago
Everything about major version upgrades happens too late. The feedback cycle is too long from Core -> Contrib consumptions
I agree, but this is also human in some ways. People wait to get up and work until things are getting close. But this is way to late i agree.


Björn Brala (bbrala)
  21 hours ago
 I don't want to people the bottle neck
Is that a saying? I don't understand.


mglaman
  21 hours ago
And then the pressure falls on the tooling maintainers


tedbow
  21 hours ago
bottleneck 1 work I guess


mglaman
  21 hours ago
I guess the problem is: At DrupalCon folks were promised an easy and automated upgrade process. This promise is a huge one and we need to manage the next time around better.
This has gone better than 8->9. But that doesn’t mean it’s great


Björn Brala (bbrala)
  21 hours ago
Some steps that sound like at least an improvent (ignoring people resources right now)
Keep run deprecation stuff always.
We need to remove as much human factor here as possible imo so automating posting/mr's/status dashboard is kinda essential (dependabot kind of thing might be great).
This means as you said 
@mglaman
 all deprecations need to have a correcponding rector/phpstan issue. Perhaps even mentioned in the CR so we can actually manage those better.
We need to get more people involved if possible. Dunno how though.


Björn Brala (bbrala)
  21 hours ago
I know the people in infra said because of the risks of posting to issues and such they want you to do it 
@tedbow
, but it feels like that is not really a sustainable model.


tedbow
  20 hours ago
but for now I will run the bot again. I can confinetly run the bot with out thinking about if the people can let me know if there any changes to infrastruture  would affec the templates


tedbow
  20 hours ago
I going to run now assuming there is not


Björn Brala (bbrala)
  20 hours ago
Its rare


Björn Brala (bbrala)
  20 hours ago
and if there are changes, i will make sure to notify you


Björn Brala (bbrala)
  20 hours ago
@Gábor Hojtsy (he/him)
 would probably be a good backup to not forget that :stuck_out_tongue_winking_eye:


mglaman
  20 hours ago
@xjm
 has been a proponent (if memory serves me right) for getting CRs to have some reference to phpstan-drupal and drupal-rector. But the question is how do we make that move forward. Is it a infra job to add new fields to CR? Process for “who validates this CR needs an issue for either?” Or just make issues and let those maintainers decide the validity (punting from core devs to tooling)


tedbow
  20 hours ago
I also don't feel I want to be the one responsible for deciding who can run the bot. So I just haven't set up anybody else. that would involve giving others the bot user account password etc.


Björn Brala (bbrala)
  20 hours ago
Since CR's are mostly checked by core maintainers and committers a process adjustment would probably suffice.


tedbow
  20 hours ago
posting issues https://www.drupal.org/project/issues/search?projects=&project_issue_followers=&issue_tags_op=%3D&issue_tags=ProjectUpdateBotD10


mglaman
  20 hours ago
A good question is the cadence for running. There doesn’t seem to be a point unless drupal-rector has a release (which it did, and fixes public static $modules)


Björn Brala (bbrala)
  20 hours ago
 I also don't feel I want to be the one responsible for deciding who can run the bot. So I just haven't set up anybody else. that would involve giving others the bot user account password etc.
I say that, because i thought it was mentioned that for safety reasons they want to make sure not to many do these kind of things. I think i did see something in gitlab that allows for some sort of private jobs. Which could be a way to automate your script withotu exposing this information


Björn Brala (bbrala)
  20 hours ago
I dont agree that only a release is a moment to run. Modules change also, fix things and such.


mglaman
  20 hours ago
Private job with GitLab CI secrets, specific folks can “push tha button”


tedbow
  20 hours ago
that would be great


Björn Brala (bbrala)
  20 hours ago
Exactly.


mglaman
  20 hours ago
@Björn Brala (bbrala)
 I mean we need “gates” to determine if the bot should push patches:
New drupal-rector release
New Drupal core minor (? patches shouldn’t have deprecations)


mglaman
  20 hours ago
There are only certain times when a module would get new changes in a patch (if it kept merging fixes). And I think those are the two


Björn Brala (bbrala)
  20 hours ago
Wouldn't you run against x.minor-dev? Therefor there is always possibility for new deprecations?


Gábor Hojtsy (he/him)
  20 hours ago
@tedbow
 hm, which resultset are you using to post now?


tedbow
  20 hours ago
resultset ?


tedbow
  20 hours ago
oh


Björn Brala (bbrala)
  20 hours ago
latest, which has been generated today xD


mglaman
  20 hours ago
In the original thread, it seems like chasing -dev would be too much. But delivering fixes whenever a new minor releases is more achievable


Björn Brala (bbrala)
  20 hours ago
Yeah this is true, its a lot less noise then. And less resources.


Björn Brala (bbrala)
  20 hours ago
But also a time CI is probably quite busy when thousands of issues are retargetted.


tedbow
  20 hours ago
@Gábor Hojtsy (he/him)
 https://dispatcher.drupalci.org/job/project_analysis_d10/lastBuild/artifact/*zip*/archive.zip


Gábor Hojtsy (he/him)
  20 hours ago
Ah I did not realise there was also a new one on infra, yay


Björn Brala (bbrala)
  20 hours ago
yeah, they restarted it today


tedbow
  20 hours ago
yeah by default it doesn't use build number. just lastBuild`


Björn Brala (bbrala)
  20 hours ago
Tbh those gates sound like a plan 
@mglaman


mglaman
  20 hours ago
The next question is: where does this get documented and proposed


Björn Brala (bbrala)
  20 hours ago
yeah was just gonna say, but wanted to remove part of the chaos of this thread first lol.


xjm
  20 hours ago
I believe there may already be an open core policy issue


Björn Brala (bbrala)
  20 hours ago
Would that be in the idea's queue? I'm always a little confused on these parts.


xjm
  20 hours ago
No it's core policy, so the core queue (edited) 


Björn Brala (bbrala)
  20 hours ago
Ah yeah
image.png 
image.png


Added to your saved items


Björn Brala (bbrala)
  20 hours ago
https://www.drupal.org/project/drupal/issues/3228433

Drupal.org
[policy, no patch] Add a more integrated process for adding rector rules for deprecations
Problem/Motivation The new major release process relies heavily on automated tools to help people upgrade their code for the next major version, and several of these tools depend on drupal-rector. Rather than deferring the step of creating rector rules for deprecations until the major branch is actually open, it might be better to integrate their creation into the core development process. Proposed resolution Make the creation of a rector rule either a blocker for, or a followup to, each core issue.
Aug 17th, 2021


Björn Brala (bbrala)
  20 hours ago
Would that suffice? Only mentions drupal-rector though


mglaman
  20 hours ago
need to read in a moment


mglaman
  20 hours ago
oh :sweat_smile: apparently I have read it. I guess that suffices.


Björn Brala (bbrala)
  20 hours ago
:stuck_out_tongue:
Added to your saved items


Björn Brala (bbrala)
  20 hours ago
So perhaps we can try and cook up how we see this. It seems like the committer team is pretty much on board. And this could also help hopefully getting more people into creating those rules if ts part of the defined process.


catch
  13 hours ago
I think rector rules in core is a good idea.
Making them required as part of the initial patch I am less sure about because we also do a lot of bc layers for things we don't technically have to (like constructor params), but if they were just visible follow-ups from issues I reckon that'd help to track everything and get more people writing them to start with.


shelane
  11 hours ago
So, related to what could be better: I found a roadblock when trying to test a rector posted patch on one of my contrib modules. I wanted to test it live against the current D10 alpha. So, I thought I'd turn to simplytest.me but there is still a composer bug on their end that is preventing builds. So, how do we make sure that we have ready test environments in the future?


mglaman
  2 hours ago
Rector in core: nightmare, if you think PHPStan dependency bumps are horrible. But I’m jaded


mglaman
  2 hours ago
Test environments: locally always exists


xjm
  2 hours ago
Well automated test environments are good because they take the burden off individuals and make things everyone's problem (in a good OSS kinda way)


mglaman
  2 hours ago
Agreed, but STM has a lack of contributors. I’ve lost my spare time to help on that


mglaman
  2 hours ago
I think the whole GitPod + DDEV or whatever could be an equal replacement, which folks have been documenting.


xjm
  2 hours ago
Oh we are talking simplytest? I thought we meant for Rector support, having test jobs as an alternative to putting it on core


Gábor Hojtsy (he/him)
  2 hours ago
Certainly has more momentum and allows actual development as well on top of trying out things. Woul be heavy handed for "simply testing" things.


mglaman
  2 hours ago
ohhh sorry, I read wrong 
@xjm


xjm
  1 hour ago
Might've been me that read wrong :slightly_smiling_face:


Björn Brala (bbrala)
  1 hour ago
The point would be rector rules as part of deprecations. Although committing those into core might be a bit of a hassle regarding tests and such... Not sure if i would prefer them in core versus having them in perhaps drupal-rector or something.


Björn Brala (bbrala)
  1 hour ago
I don't think we would require rector in core. From what i've seen regarding stability between releases that is a very very very tricky proposition as 
@mglaman
 already mentioned.


Björn Brala (bbrala)
  1 hour ago
They liberaly use the fact it is still a 0.x release and anything can break.


mglaman
  1 hour ago
Yeah, it's burned some sanity handling shifting changes in the API. But that's because all other plugins are in their namespace and part of their testing flow. The drupal-rector project wasn't moved there for some reason (they asked, it wasn't, don't remember why)


Björn Brala (bbrala)
  1 hour ago
Hmm


Björn Brala (bbrala)
  1 hour ago
"We" contribute quite a lot there, shouldn't out set be tested also?


Björn Brala (bbrala)
  1 hour ago
Ok, im not sure if i want to go into that rabithole actually ;x

The "prior thread" mentioned in above conversation

mglaman
 Aug 18th at 5:26 PM
:reminder_ribbon: for the next meeting, we should discuss a policy change for DrupalCI to always fail on detected deprecations in contrib instead of making it an opt-in process. I feel like we would have less technical debt for major version upgrades.




46 replies


Gábor Hojtsy (he/him)
  5 days ago
Added to https://www.drupal.org/project/drupal/issues/3304372
Drupal.org
Drupal 10 readiness meeting / 22 August 2022
Meeting will happen in #d10readiness on drupal.slack.com. Hello and welcome to this Drupal 10 readiness meeting! This meeting: ➤ Is for core and contributed project developers as well as people who have integrations and services related to core. Site developers who want to stay in the know to keep up-to-date for the easiest Drupal 10 upgrade of their sites are also welcome. ➤ Now happens every Monday at 18:00 UTC. ➤ Is done over chat. ➤ Happens in threads, which you can follow to be notified of new replies even if you don’t comment in the thread.
Aug 17th
:thankful:
1

Also sent to the channel


dww
  5 days ago
I won’t be at next meeting but registering a -100 on this proposal here. :sweat_smile: The drop moves too fast. If all my contrib projects started failing tests on every new deprecation, I’d either end up with tests failing all the time (making it impossible to review other issues) or dooming myself to have to “chase HEAD” when my schedule doesn’t allow that.

Or, I’m trying to fix bugs in someone else’s contrib and the tests are failing so it’s hard to tell if my fix works and progress grinds to a halt.

This has to be opt in, or automated testing for contrib becomes really a mess.

Simply failing the tests doesn’t remove the tech debt. Humans have to do that. And we all have different schedules, workflows and responsibilities.
:100:
4



mglaman
  5 days ago
This is if modules test on -dev of Drupal core vs stable minor/patch
:+1:
1



mglaman
  5 days ago
Deprecations aren’t usually added in patch, right? in minor releases


dww
  5 days ago
Which isn’t to say it’s not worth discussing. And maybe I’ll be out voted. And that’s okay, too.


mglaman
  5 days ago
It’s worth discussing, for sure. But I’m currently at: “I don’t know if I can do this again in 1.5 years”
:hugs:
1



mglaman
  5 days ago
It’s not hard it’s just so much
:100:
1



dww
  5 days ago
Only for tests against that -dev of core makes it more viable.


mglaman
  5 days ago
Because I would see it as:
Issue + commit: whatever release of drupal/core (Drupal X Stable release)
Weekly: Drupal X Development


lleber
:scientist:  5 days ago
^ I'm also a bit concerned about the speed at which "the drop is moving".  Public API being "safe" to use just doesn't mean the same thing these days.


mglaman
  5 days ago
It moves at 6 month increments.


lleber
:scientist:  5 days ago
"safe" as in predictable when things can/will break, not "safe" as in "we won't have to spend another $50,000 on this custom code every 2 years"


mglaman
  5 days ago
But, let’s save it for Monday


dww
  5 days ago
But, let’s save it for Monday
... when Derek won’t be there to raise disagreements. :joy:


mglaman
  5 days ago
ah shoot ya you said that. sorry, more of my “I really need to focus on X but I don’t want to forget about this”
:+1:
1



lleber
:scientist:  5 days ago
It'd be neat if anyone could quantify the average real world fiscal impact of a new deprecation.
:100:
1



dww
  5 days ago
Just because foo was deprecated in 9.1, I don’t actually have to deal with that for 2+ years until D10. I can’t always give love to every project every 6 months.


mglaman
  5 days ago
It’d also be nice if we got CRs to flag phpstan detection and rector coverage. Because things could be a lot easier.


cmlara
  5 days ago
I need to do some searching as I can't find it right now, I'm pretty sure there is an open issue requesting to at least REPORT deprecations as a softfail
:+1:
1



mglaman
  5 days ago
Just because foo was deprecated in 9.1, I don’t actually have to deal with that for 2+ years until D10. I can’t always give love to every project every 6 months.
Fair, no need to build the shim until later. Like when that minor loses security coverage.
:+1:
1



mglaman
  5 days ago
@cmlara
 that’d be great, because it goes unknown right now as far as I know. phpcs is a soft fail which bubbles, if deprecations could that’d be great. BUT we’re also heading for the great GitLab CI migration
:100:
1



dww
  5 days ago
I’m all for tests warning you about all know future fails. I just don’t want the test run itself to be called fail unless I ask for that.
:+1:
2



mglaman
  5 days ago
Either way, I think we need a cadence of addressing deprecations and making viable releases earlier than a few months before beta and release
:+1:
2



mglaman
  5 days ago
:man-shrugging: but this assumes modules have tests to catch deprecations and hit them at runtime, since phpstan isn’t being run


Gábor Hojtsy (he/him)
  5 days ago
I think a softer approach would be to start running the bot right after 10.0 is out for 11 targeted deprecations (assuming rectors are available). That would give the option to maintainers to resolve things on a piece by piece basis rather than 2 years later, but I am not sure its realistic or even correct to fail tests for things where people use the stable public APIs.


mglaman
  5 days ago
The problem with Rector is that it’s a blunt force tool that doesn’t provide backward compatible shims


mglaman
  5 days ago
Which maybe should be a requirement for all d10 deprecation rules (edited) 


Gábor Hojtsy (he/him)
  5 days ago
It could provide them though?


mglaman
  5 days ago
It could. Makes rule writing harder, but it could.


mglaman
  5 days ago
It raises the contribution complexity bar, which is already high


Gábor Hojtsy (he/him)
  5 days ago
Is it more scalable to expect people to come up with those themselves? I would rather see if we can figure out how to scale rector building if we are to continue on this pace.


mglaman
  5 days ago
Idk how we could scale it. There are some helpers. But who also has the time to invest in that scaling and dev-x


berdir
  5 days ago
yes, also strong -1 from me. the timing just doesn't work out. contrib testing is against a certain type of minor (e.g. stable or security support), so that's frequently shifting and there's no reason to force contrib to be dependency free until a new major is on the horizon. there are already D10 deprecations, already now you can get deprecation errors when running tests on d10. That's just shifting all that workload to contrib maintainers and preventing contributions when tests are failing.
:100:
2



berdir
  5 days ago
My counter-proposal, that I've mentioned before is that this should be a setting that you can control per test configuration. so you can do issue/commit testing without deprecations but you can have a separate, e.g. weekly, test run that shows current deprecations
:heart:
1
:this:
1



Björn Brala (bbrala)
  5 days ago
What if we just add deprecation testing as like a separate flow. Could be through the bot, or a default extra run that runs for projects that have testing enabled.
Although a bit harder to perhaps communicate, it would could be some sort of label at the project level that is added based on that group of runs.
Hmm. This is something I'll think about, moving up this whole dance and make It less of a race would be great. I agree with 
@mglaman
 that how things go right now are a bit hectic.
:+1:
1



dww
  5 days ago
I’d love the flexibility of Berdir’s proposal to make this a knob while configuring test runs. But if that’s too big a can of worms, a whole separate deprecation testing path would also work and improve things considerably.


berdir
  5 days ago
well, i guess with GitlabCI on the horizon, I doubt we'll invest into some kind of flags for DrupalCI and bulding a UI for it. That said, I'd also expect that this will probably come basically for free with GitlabCI, you can have templates and variables and then you can set up different pipelines or something to cover this.


Gábor Hojtsy (he/him)
  5 days ago
DrupalCI already has/had phpstan deprecation testing as a build option, but I think its been broken for a while


Gábor Hojtsy (he/him)
  5 days ago
https://www.drupal.org/project/drupalci_testbot/issues/3248706
Drupal.org
PHPStan fails for contrib due to outdated neon configuration
Problem/Motivation PHPStan validation (eg. https://dispatcher.drupalci.org/job/drupal_contrib/506195/artifact/jenkins-drupal_contrib-506195/artifacts/phpstan/) fails with Host commands: cd modules/contrib/image_effects && sudo -u www-data /var/www/html/vendor/bin/phpstan analyse --error-format checkstyle -c /var/lib/drupalci/workdir/phpstan/phpstan.neon .
Nov 10th, 2021
:+1:
1



berdir
  5 days ago
drupalci configuration happens in a commited drupalci.yml file, you can only have one of those. I don't think that changes how that works? the main point of my proposal is that you can have different runs with or without certain things. The closest you can get to that right now is a patch against drupalci.yml and manually re-testing that
:point_up:
1



Gábor Hojtsy (he/him)
  5 days ago
yeah but still then phpstan deprecation checking will not work at all due to this problem
:+1:
1



mglaman
  5 days ago
So, I guess our problems will be “solved” once we have GitLab CI. Because we can have different workflows. And a contributor could submit modifications for the run


catch
  5 days ago
The biggest issue with fixing deprecation issues quickly is the one year support cycle for minor releases - so if you're keeping support for the oldest minor, you can't fix a lot of deprecations until at least 6 months after they land in a stable release.
There's a proposal (which I can't find right now...) to use a 'main' branch for Drupal core and branch minor versions off it. If for some reason a flag is tricky, then maybe tests against 'main' could fail on deprecation errors but not any other branches since that'll always be the target for new development.
:+1:
2



catch
  5 days ago
On general speed of core, that's more a question for https://www.drupal.org/project/drupal/issues/3238652. The only way to change things significantly would be to drop a lot of dependencies, we definitely wouldn't be trying to get Drupal 10 out if it wasn't for Symfony 5/6 and CKEditor 5.
I am however extremely hopeful that 10-11 will be a smaller hop than any of the previous major releases have been. Now new ckeditor major release, no jumping two Symfony versions in one go etc.
Drupal.org
[policy] Adopt a 2 year major release cadence and a 6 month LTS-to-LTS overlap period for Drupal 10 and beyond
Problem/Motivation Currently, when we release a new major Drupal version, we also release the final minor version for the prior major version at the same time. For example, we released 9.0 and 8.9 at the same time, and plan to release 10.0 and 9.4 at the same time. This final minor version is supported for longer than other minor versions are (8.9 was supported for 17 months vs. other 8.x versions were only supported for 12 months), so here I refer to them as the LTS (long term support) versions/releases. Currently, the LTS versions go EOL before the next LTS version is released.
Sep 22nd, 2021
:+1:
1



Gábor Hojtsy (he/him)
  4 days ago
Upgrade Status actually considers the last supported minor and tells it's users to defer resolving deprecations from that onwards to later. :)
:+1:
1



dww
  4 days ago
To be clear: I didn’t mean the drop is moving too fast in general. Just moving too fast for all contrib tests to fail upon any deprecation notices in any branch.

catch convinced me that this could happen. There be some dragons around having Rector as a development dependency due to the way Rector is bundled. Especially if we hit a breaking change and become incompatible. I'm copying what I sent in Slack to describe the build setup when developing a Rector plugin/rules:

So rector/rector is a compiled Phar with namespaced vendor dependencies of rectorphp/rector-src. BUT it also contains the CakePHP, Doctrine, Laravel, PHPUnit, and Symfony bundled. So when you require --dev on rector-src, you get all those repos pinned to dev-main. Which means they're forever shifting! Part of my nightmare when fixing drupal-rector compatibility was pinning the dev-main# to hashes that matches the installed.json for rector/rector

Oh yeah, I forgot that you also need to allow it to be patched. This is all in drupal-rector.

One way we can solve this is by having the Rector code off to the side, with its own composer.json like PHPStan's build setup: https://github.com/phpstan/phpstan-src/tree/1.8.x/build

While looking at the rector-phpunit source, it looks like the namespace might be able to be dynamically registered: https://github.com/rectorphp/rector-phpunit/blob/main/config/config.php. It calls load on the container configurator. This is from Symfony DI and allows registering PSR-4 namespaces!

    /**
     * Registers a PSR-4 namespace using a glob pattern.
     */
    final public function load(string $namespace, string $resource): PrototypeConfigurator
    {
        return new PrototypeConfigurator($this, $this->loader, $this->defaults, $namespace, $resource, true, $this->path);
    }

Or maybe this is how Rector works around the merged code in the compiled Rector package and it doesn't matter to us.

We could have a rector directory alongside core that becomes the drupal/core-rector-rules package or something. This directory contains a composer.json and rules and rules-tests directory. The nice part about this structure is leveraging the Rector generator (it uses a rules and rules-tests structure.

The hard part is ensuring we can run PHPUnit against the rules to verify they work. At first, I thought this meant we needed Drupal code to be autoload-able, but we don't. In the drupal-rector tests we don't recreate Drupal's autoloading; it all just works because the symbols match.