Problem/Motivation

drupal/core-dev-pinned allows developers to run tests using exactly the same dependencies as a specific version of core. drupal/core-dev is similar but allows newer versions to be installed. In practice there is usually little difference between these.

However, when security updates are released for dev dependencies such as Composer, this means that drupal/core-dev-pinned is stuck on an insecure version until we release a newer version of core itself, while drupal/core-dev can freely upgrade.

At the time of writing drupal/core-dev on Packagist has nearly 20 million installs, while drupal/core-dev-pinned only has 250,000 - or 80 times fewer - so it is clear drupal/core-dev is preferred and we are not really seeing any issues by being more relaxed in the allowed dependencies.

Steps to reproduce

Proposed resolution

Deprecate drupal/core-dev-pinned and recommend that users use drupal/core-dev instead.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3566600

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

longwave created an issue. See original summary.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Related issues: +#3565943: [security hardening] Update composer to 2.9.3
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Issue summary: View changes

longwave opened merge request !14279

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Active » Needs review
Issue tags: +Needs change record

Initial attempt at this, I think we don't need to keep this into Drupal 12 as users can just swap to drupal/core-dev, but we should maintain it for the rest of Drupal 11. Also needs a change record.

quietone’s picture

quietone commented
Issue tags: -Needs change record
Related issues: +#3476723: Mark the drupal/core-dev-pinned package as abandoned

Added a change record and related issue.

quietone’s picture

quietone commented
Issue tags: +11.4.0 release priority
quietone’s picture

quietone commented

Whatever style of change is decided on here for description text of the metapackage should be added to the 'how to deprecate' page.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

Good idea - one day we will also want to deprecate drupal/legacy-project.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

smustgrave’s picture

smustgrave commented

Recommended way to test this?

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

@smustgrave Not really sure. Once this is committed, the abandoned line in composer/Metapackage/PinnedDevDependencies/composer.json will in turn be committed to https://github.com/drupal/core-dev-pinned/blob/main/composer.json - which in turn will mark https://packagist.org/packages/drupal/core-dev-pinned as abandoned, but I don't know of a way of testing that outside of Packagist.

The documentation for this feature is at https://getcomposer.org/doc/04-schema.md#abandoned

dcam made their first commit to this issue’s fork.

dcam’s picture

dcam commented

I rebased the MR because it was 316 behind and I wanted to review it. The test pipeline says I don't have permissions to run the tests, which is something I haven't seen before. Does anyone have an idea of what that's about?

dcam’s picture

dcam commented

Sorry about breaking the MR. I noticed it was targeting the wrong branch. Changing the target was a bad idea. I'll sort it out and make a new MR.

dcam changed the visibility of the branch main to hidden.

dcam opened merge request !15043

dcam closed merge request !14279

dcam’s picture

dcam commented
Status: Needs review » Reviewed & tested by the community

I don't have any additional feedback. I've deprecated a few packages at work and the entries in the composer.json files are good. I checked the composer and core directories to see if there's anything else that should be removed at this time (particularly the metapackage README file), but all mentions of the package and builder are appropriate to stay. They'll be removed from main right away anyway if we try to get this in before D12. This looks good to me. Sorry about the noise from rebasing and then retargeting the original MR.

sivaji_ganesh_jojodae made their first commit to this issue’s fork.

mstrelan’s picture

mstrelan commented

Is it worth adding a hook_requirements somewhere in core that checks for this? Or is the existing deprecation loud enough to be noticed. Can use something simple like this:

\Composer\InstalledVersions::isInstalled('drupal/core-dev-pinned')
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

I don't think it's core's responsibility to do that, the person seeing that requirements message might not be able to do anything about it. The warning should appear when using composer, which is the time you can actually take an action to fix it.

The package also has a relatively low number of installs so I don't think it's worth additional messaging.

https://packagist.org/packages/drupal/core-dev-pinned
vs https://packagist.org/packages/drupal/core-dev

  • catch committed e59c0b01 on 11.x 
    task: #3566600 Deprecate drupal/core-dev-pinned metapackage

By:...

  • catch committed 91860411 on main 
    task: #3566600 Deprecate drupal/core-dev-pinned metapackage

By:...
catch’s picture

catch
he/him
Primary language English
commented
Version: main » 11.x-dev
Status: Reviewed & tested by the community » Fixed

Yeah I think the composer message should be OK, that's the context where you're also able to fix it.

Committed/pushed to main and 11.x, thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

catch closed merge request !15043

quietone’s picture

quietone commented

Add how this was done to a 'composer metapackage' section on How to deprecate

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.