[policy, no patch] Require Composer 2 for Automatic Updates while still supporting Composer 1 for Drupal 9 generally

Created on 17 July 2020, over 4 years ago
Updated 15 January 2025, 5 days ago

Problem/Motivation

Composer plugins "composer-plugin-api": "^1.1 || ^2" can be tied to version 1 or version 2. V1 plugins cannot be used w/ V2 of composer. This sorta makes using Composer v2 a requirement. Why do we need V2 of composer?

  • Performance (mainly huge memory and related performance gains)
  • V2 has a composer hook that lets us intercept the artifact downloads and compare its hash against a known hash (using TUF, CSIG, etc)

Granted, bullet #2 is a soft requirement as we could always request that same hook be backported to V1 Composer. But we'd still have bullet #1, which is a very big reason.

https://github.com/heddn/php-signify-composer-integration shows how this was done in a PoC, and how we required v2 for the plugin to operate.

Proposed resolution

TBD

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task
Status

Closed: outdated

Version

11.0 🔥

Component

base system

Created by

heddn Nicaragua

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024