When updating a BLT & Lighting setup from Lightning 2.26 to 3.002, I could not get composer to update Drupal to 8.4.5, which Lightning 3.002 was supposed to require. Running through the Lightning update steps outlined here: https://github.com/acquia/lightning/releases, I started with the steps in 3.000.
composer require acquia/lightning:~3.0.0 --no-update
composer update acquia/lightning --with-dependencies
At this point I saw drupal/jsonapi module update to 1.10, and some other items, but not Drupal core.
Then ran drush updatedb && drush cache-rebuild
and drupal update:lightning
. The following updates ran, but no output from drupal console command:
lightning_core module :
8006 - Records all modules' semantic version numbers in config.
lightning_layout module :
8009 - Removes the Lightning third_party_settings from Layout Manager role.
Then I tried composer update acquia/lightning --with-dependencies
again, at which point composer removed and re-installed drupal/core (8.4.4). After that, tried a few more times, with a composer clearcache
in-between. Still Drupal 8.4.4.
Last I tried composer update drupal/core --with-dependencies
which WORKED! I now had Drupal 8.4.5.
Weird thing is, the Drupal.org zip package of Lightning DOES have Drupal 8.4.5. I think this is because the drupal-org-core.make file was updated to use 8.4.5, but the composer.json wasn't explicitly updated to require Drupal 8.4.5. In reviewing https://getcomposer.org/doc/articles/versions.md#tilde-version-range-, composer should update Drupal to the latest 8.4.x release with the require 8.4.4 line.
https://github.com/acquia/lightning/blob/3.0.2/drupal-org-core.make#L7
vs.
https://github.com/acquia/lightning/blob/3.0.2/composer.json#L80
Composer version 1.5.2 2017-09-11 16:59:25
BLT version 8.9.13
Drush 8.1.16
Comments
Comment #2
balsamaYeah - that's actually is expected behavior. Lightning 3.0.2 doesn't explicitly require core 8.4.5. It requires ~8.4.4 because it works with anything greater than 8.4.3 and less than 8.5.0). The release was tested against 8.4.5, as seen in our lock file. If you want to use the exact dependencies that Lightning used to test each release, you can look at the Lightning Strict package: https://lightning.acquia.com/blog/lightning-strict
Otherwise,
composer require drupal/core:8.4.5
is the best way to make sure you have a specific core version.As for the tarball, that's build from a makefile, which is generated from our lock file - which had 8.4.5. :)
Comment #3
timwoodSo what would you recommend to those using Lightning composer, when security updates are released? Shouldn't following Lightning's update steps result in my environment being updated per the release notes (Lightning 3.002 updated Drupal core and JSON API)? https://github.com/acquia/lightning/releases/tag/3.0.2 Shouldn't having Drupal core set to ~8.4.4, update it to 8.4.5?
I guess use Lightning strict is the only option?
Thanks
Comment #4
balsama@timwood I think if you just modify your original command to update all dependencies, you should be all set. See: https://github.com/composer/composer/issues/6661
Or remove the package from the update command:
But if you want a specific version of something, it's always best to require it outright:
composer require drupal/core:8.4.5
Or use something like https://github.com/Roave/SecurityAdvisories.
Comment #5
phenaproximaComment #6
balsamaI'd vote to close this, but I'll leave it open since @phenaproxima identified it as a documentation issue.