Contrib.social

Match the version of drupal/core-* metapackages

Open on Drupal.org β†’
Created on 3 August 2020, over 4 years ago
Updated 11 September 2024, 7 months ago

Problem/Motivation

We have many meta packages to help projects run with the right set of dependencies:

These packages are released together and share the same versions.

Although these are independent packages, they are semantically and practically tied together. You might be able to use different versions of these packages (different minor, patch, but likely not a different major version), but usually, you encounter unexpected issues when these packages are not in sync.

For example, when creating a new project from drupal/recommended-project and you want to run tests, you are supposed to composer require drupal/core-dev. However, that package doesn't depend on core, so if you're not careful, you might end up with a different version of core-dev than the core version you are using, causing things to fall apart.

Moreover, even if the Updating Drupal core with Composer β†’ guide suggests running composer update "drupal/core-*" --with-all-dependencies to keep Drupal core and metapackages up to date on existing projects, this command does not guarantee that the versions of the installed metapackages will match. This command instructs Composer to try to update all matching packages, but conflicts and version constraints in other packages can prevent one or more matching packages from being updated. This issue is discussed in this Drupal Slack thread about failing PHPUnit tests due to an incorrect behat/mink version installed on projects after the Drupal 10.2.x to 10.3.x update.

Steps to reproduce

  1. composer create-project 'drupal/recommended-project:^8.9' d8_9_composer
  2. cd d8_9_composer
  3. composer require drupal/core-dev

You would expect to get drupal/core-dev for 8.9.x and have a working testable site. Instead, you see this:

Using version ^9.0 for drupal/core-dev
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Conclusion: don't install drupal/core-dev 9.0.2
    - Conclusion: don't install drupal/core-dev 9.0.1
    - Conclusion: don't install drupal/core-dev 9.0.0
    - Conclusion: don't install drupal/core-dev 9.0.0-rc1
    - Conclusion: don't install drupal/core-dev 9.0.0-beta3
    - Conclusion: don't install drupal/core-dev 9.0.0-beta2
    - Conclusion: don't install drupal/core-dev 9.0.0-beta1
    - Conclusion: don't install drupal/core-dev 9.0.0-alpha2
    - Conclusion: don't install drupal/core-dev 9.0.0-alpha1
    - Conclusion: don't install drupal/core-dev 9.1.x-dev
    - Conclusion: remove masterminds/html5 2.3.0
    - Installation request for drupal/core-dev ^9.0 -> satisfiable by drupal/core-dev[9.0.0, 9.0.0-alpha1, 9.0.0-alpha2, 9.0.0-beta1, 9.0.0-beta2, 9.0.0-beta3, 9.0.0-rc1, 9.0.1, 9.0.2, 9.0.x-dev, 9.1.x-dev].

For this to work, step #3 should be composer require 'drupal/core-dev:^8.9'.

Proposed resolution

As @stof suggested in this Composer discussion, we could use the self.version constraint to keep package versions in sync. Instead of using "drupal/core-recommended" : "self.version", we should use "drupal/core": "self.version" since both drupal/core-recommended and drupal/core-dev packages can and should depend on drupal/core.

Remaining tasks

Manual testing. Details are in comment #34 ✨ Match the version of drupal/core-* metapackages Needs review
Create a change record

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

✨ Feature request
Status

Needs review

Version

11.0 πŸ”₯

Component
ComposerΒ  β†’

Last updated 5 days ago

No maintainer
Created by

πŸ‡ΊπŸ‡ΈUnited States dww

Live updates comments and jobs are added and updated live.
  • Needs manual testing

    The change/bugfix cannot be fully demonstrated by automated testing, and thus requires manual testing in a variety of environments.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Assigned to mxr576
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Merge request !8647Match package versions β†’ (Open) created by mxr576
  • Pipeline finished with Failed
    9 months ago
    Total: 498s
    #214825
  • Comment 9 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom joachim

    > The reason that we don't want to require drupal/core with self.version is that it makes upgrading harder.

    In what way?

    We now recommend that upgrading core be done with "composer update drupal/core*" which updates both packages simultaneously. Won't the dependency work ok with that?

  • Pipeline finished with Failed
    9 months ago
    Total: 170s
    #214861
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Issue was unassigned.
  • Status changed to Needs review 9 months ago
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Pipeline finished with Success
    9 months ago
    Total: 505s
    #214894
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    > The reason that we don't want to require drupal/core with self.version is that it makes upgrading harder.

    In what way?

    I was thinking about why Greg said this and what I saw in https://www.drupal.org/files/issues/2020-08-03/3163114-6.patch β†’ ... so do we really expect and reality also confirms that within the same Drupal minor versions, these meta packages could be on different versions at any time and everything should work? Because if not, the current solution with self.version in the MR is the only way to move forward, if not, then we get back to patch 6 and only lock on major.minor.

  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    It occured to me that Greg's comment is 4 years old and maybe it is from those days when core-recommded did not allow patch version update of dependencies. In those days the concerns he raised regarding self.version was valid.

  • Status changed to Needs work 9 months ago
  • Comment 9 months ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Status changed to Needs review 9 months ago
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Still mergable according to Gitlab.

  • Comment 9 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greg.1.anderson

    In what way?

    We now recommend that upgrading core be done with "composer update drupal/core*"

    I believe I answered this question elsewhere recently, but I am not sure where, so I will re-post here for context.

    During the development of Drupal 8.8.x, composer update drupal/core* failed to update, because Composer became confused by the chained strong constraints. One might think that strong constraints would make the dependency graph easier to resolve, because it branches to fewer variations, but for whatever reason, it was harder for Composer in the past. If modern Composer deals with it well, then this change is an improvement.

  • Comment 9 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greg.1.anderson

    If I recall correctly, the conflict statement that I recommended worked better (e.g. #9 can be rewritten to allow only one patch version). I don't recall if there was any reason we didn't add it; maybe just never got to it. We certainly did not want to encourage folks to mix different core versions.

  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    This was the Slack thread: https://drupal.slack.com/archives/C392CHBEW/p1720016380610809

    I also dumped it via Slackdump before it gets lost, see attachment.

    Thanks for looping back to this thread, I'll also do that early next week.

  • Comment 9 months ago β†’
    πŸ‡©πŸ‡°Denmark ressa Copenhagen

    Thanks for saving the conversation before it was lost @mxr576!

    As we talked about in #2952616-17: Adopt CommonMark spec for Markdown files β†’ , an automated Slack dumper service would be awesome, pulling down and saving all the great Drupal conversations. A daily drupal.org/project/drupal issue could work as a data repository, consolidating the text for inclusion when searching in Drupal core issues :-)

    Drupal Slack Dump for 2024-07-03

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Besides a CR any next steps needed here?

  • Comment 8 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Well, Greg expressed his opinion in the referenced Drupal Slack about why he would not rely on core-dev for running tests on downstream projects, but he did not mention that in #27.

    I think we are on the an agreement regarding:

    We certainly did not want to encourage folks to mix different core versions.

    I do not think that enforcing this with conflict or require would make a difference in Composer 2.7+... if there are strong concerns we can try figure that out somehow... without that we can merge the current approach and switch to other when it proved to be problematic.

  • Comment 8 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Pipeline finished with Success
    8 months ago
    Total: 505s
    #251839
  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greg.1.anderson

    Well, Greg expressed his opinion in the referenced Drupal Slack about why he would not rely on core-dev for running tests on downstream projects

    Don't worry about that old comment, it was unfounded. My point is that you shouldn't use core-dev unless you're using test classes packaged by Drupal to run tests on downstream projects, which is exactly what folks are doing.

    My latest comments on moving forward, copied from slack:

    It needs to be tested. Testing wouldn't be super easy; someone needs to clone the various Drupal projects with all / most of the versions tagged, and then make some test Drupal sites that are out of date, and try to run "composer update" on them. The proposed dependencies were too much for Composer some years ago; the hypothesis is that modern Composer will handle it just fine. This is likely the case, but it would be unfortunate to deploy the changes to everyone & then find out in the field that it doesn't work well.

    To do a good test, you'd probably want to rewrite the tags so that the old versions in the repo have the new dependency relationships. If you only made the proposed changes for the newest tag (as would happen when the MR is merged), then it's possible that Composer would do okay if there was only one version with the new dependency relationships, but might get confused in the future when they started to grow in number.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mile23 Seattle, WA

    From the summary:

    1. composer create-project 'drupal/recommended-project:^8.9' d8_9_composer
    2. cd d8_9_composer
    3. composer require drupal/core-dev

    You would expect to get drupal/core-dev for 8.9.x

    First: Why would you expect that? It's not how Composer works unless the other packages have declared tighter constraints. If you get the error message, you'll figure out that you need to specify a version. Speaking of tighter constraints....

    Second: If it's a reasonable (or even just desired) expectation, then having drupal/core-dev declare that it conflicts with future (and maybe even past) versions of drupal/core is the most reasonable solution to deliver that.

    So, we leave everything else alone, and then only change drupal/core-dev (and -pinned) to conflict with future versions of drupal/core. We can do this because we always generate a new drupal/core-dev with each release, even if all the dependencies are exactly the same.

    So drupal/core-dev release 11.0.0 would look like this:

        "conflict": {
        "drupal/core": "<11.0.0 || >11.0.0",
        "webflo/drupal-core-require-dev": "*"
    },

    In this circumstance, Composer gets the version of drupal/core, and then finds the version of drupal/core-dev that doesn't conflict, and then we're done. We can also tell people to composer require drupal/core-dev:@stable.

  • Comment 7 months ago β†’
    πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    First: Why would you expect that? It's not how Composer works unless the other packages have declared tighter constraints. If you get the error message, you'll figure out that you need to specify a version. Speaking of tighter constraints....

    At the very least, these packages should be tied together at the minor version level. Based on past experiences, it might even be beneficial to tie them at the patch level as well. For more details, see this Slack thread about how the 10.2 -> 10.3 upgrade broke tests because Composer installed incompatible versions of Drupal core packages: https://drupal.slack.com/archives/C223PR743/p1719331712444049

    Drupal core is a monorepo that is only partially managed as such. If we could guarantee that split packages in the subpackage repositories are always compatible with each other, this problem wouldn't existβ€”but we can't.

    The drupal/core-dev package defines the dependencies needed to run tests, while drupal/core contains the tests that might need adjustments as core-dev dependencies evolve... which is not a problem in a monorepo because update and adjustments could happen in the same MR.

    However, the butterfly effect is more visible for downstream projects that require drupal/core-dev, and they often only realize changes are needed when a minor (or, in the worst-case scenario, a patch) update to drupal/core-dev breaks their test suite.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    First: Why would you expect that? It's not how Composer works unless the other packages have declared tighter constraints.

    I want to second the statements by @mxr576. I would expect drupal/core-dev to be tied to drupal/core. They are designed to work together and are linked where changes in one can require explicit changes in the other, especially since they are developed in the same repository. The same applies true to drupal/core-recommended as we can very easily end up using releases of dependencies that have not been tested with a version of Core defeating the purpose of the package

    I do not really care how this is implemented (require or conflict, in drupal/core-dev or on drupal/core) however I would add this question that might help justify which makes more sense if done in drupal/core-dev: Is there ever a case where you would want drupal/core-dev that you would not also want drupal/core? If the answer is no, than require makes the most sense as drupal/core-dev should also bring with it drupal/core, if the answer is yes than conflict would be more logical.

    Either case testing should not be too hard, download https://repo.packagist.org/p2/drupal/core-dev.json (or whatever other package to modify), loop over the require/conflict section and add the desired constraint, place the resulting file into a local composer repo available on localhost and can easily see if any noticeable impact occurs as you use composer to require specific versions and constraints of packages.

  • Comment 7 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    Updated the IS with a link to testing instructions and tagged.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mile23 Seattle, WA

    @cmlara: "I want to second the statements by @mxr576. I would expect drupal/core-dev to be tied to drupal/core."

    Well, drupal/core-dev is tied to core. They have the same version number. You can currently say composer require --dev drupal/core-dev:[your core version constraints here] and it works.

    However, if you want to be able to not know your current core constraints and just say composer require --dev drupal/core-dev, then we need to change drupal/core-dev as described in #35. We make drupal/core-dev (and -pinned) conflict with versions of drupal/core which aren't the same, and then Composer will do the sorting for us.

    @mxr576: "At the very least, these packages should be tied together at the minor version level. Based on past experiences, it might even be beneficial to tie them at the patch level as well."

    That's exactly what I proposed in the message you're responding to.

  • Comment 6 months ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024