Deprecate composer 1

Since modern Drupal core requires Composer 2, our Composer 1 traffic is very low - less than 0.5% for all traffic, 1.3% when counting by IP address. We should remove Composer 1 support before thinking about moving this code from Drupal 7 to modern Drupal.

Adding #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged → as a parent issue. Composer 1 support causes https://packages.drupal.org/8/packages.json to be updated frequently. TUF will flag any time that packages.json is updated, but the hash of the file has not been updated. Once Composer 1 is no longer supported, https://packages.drupal.org/8/packages.json will effectively become a static file, greatly reducing the impact of any rugged/signing disruptions.

And we need to get this done before updating this codebase to modern Drupal.

This will happen in 2 phases:

• Stop updating Composer 1 metadata - Composer 1 will still be functional with packages.drupal.org, but will not have any new releases or other updates. I’d like to do this in about a month, the week of August 5 or 12
• Remove Composer 1 metadata - Composer 1 will no longer be able to use packages.drupal.org. I’d like to do this a month or two later, the week of October 1 would put it after DrupalCon Barcelona

Both can be announced directly to users like https://packagist.org/packages.json has

"warning":"Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/","warning-versions":"<1.99"

And we should have various other announcements, including a couple blog posts.

Wouldn't it be better to set the version constraint to <2.0 . Theoretically you can have V1.100 (even though the highest composer 1 version is 1.10.27).

Should the message include the steps required to upgrade? Or a link to those steps?

This will be displayed alongside Packagist.org’s warning:

Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/

https://packagist.org/packages.json uses "warning-versions":"<1.99" I’m not sure if they have a reason for that, but I’d rather follow their lead, even if it might not be technically correct.

We should definitely link to our announcement about packages.drupal.org’s support, once its drafted & posted.

This will be displayed alongside Packagist.org’s warning:

Great! So that's covered then ;-)

https://packagist.org/packages.json uses "warning-versions":"<1.99" I’m not sure if they have a reason for that, but I’d rather follow their lead, even if it might not be technically correct.

Yes, makes perfect sense in that case 😉 and +1 for linking to the official Drupal announcement

The warning is now deployed and the announcement is at https://www.drupal.org/drupalorg/blog/ending-packagesdrupalorg-support-f... →

I've put some notes for the changes needed in child issues.

The change on October 1st has completely prevented me from updating a site.

It was still on composer 1. Obviously it needs changing to composer 2, but I don't seem to be able to. The instructions for switching to composer 2 are that various packages need to be updated first when still on composer 1 - https://www.drupal.org/docs/develop/using-composer/preparing-your-site-f... →

Please make sure that you upgrade the plugins below using Composer 1

When I try to update or install any package with composer 1 results it in this composer error:

[ErrorException]
Illegal string offset 'versions'

This is because https://packages.drupal.org/8/packages.json doesn't contain data in the format which composer can read.

What are we supposed to do in this situation? I have an old site which we have taken over which needs updating to Drupal 10, but at the moment I cannot do anything because the site uses composer 1 still and it won't let me update any packages.

I think it is actually possible. I've got the site installing on composer 2 by removing various incompatible packages at once (with composer 2) and then if necessary re-requiring newer versions later.

I believe in many cases, Composer 2 just works. It is faster and more reliable. Things can get complicated if you are using Composer plugins, as Composer’s APIs for plugins changes.

Unfortunately, Composer 1 is not something Drupal.org can continue supporting since it had very low usage, complex & hard-to-test code that would need to be updated from D7 to modern, and would make package signing for automatic updates less reliable.

I could imagine making a Satis mirror of packages you use, but that would likely be more effort than working around plugin updates. https://github.com/composer/satis

Composer 1 is now completely unsupported for packages.drupal.org.

Wow, this one hit me hard. I wasn't aware of the Composer 1 deprecation until my customer requested me to add a new module to its D8 installation for cookie management. Now I cannot bring up the site in my dev environment because https://packages.drupal.org/8/packages.json data has been removed.

I've tried everything I found in the documentation with no success. It's impossible to migrate to Composer2 because a lot of the D8 modules like drupal/token ( https://www.drupal.org/project/token/releases/8.x-1.10 → ) are non existing in packagist.

What is the way you'd recommend to go through? Should I download all the modules as ZIPs and try to set them up locally?

Thanks!

Have you followed: https://www.drupal.org/docs/develop/using-composer/preparing-your-site-f... → ?

Modules like drupal/token are distributed via the https://packages.drupal.org/8 Composer repository using Composer 2. They are not on Packagist.org.

Yes, I've followed the documentation from @bramdriesen, but as @drumm said, those modules like drupal/token do not exist on Packagist.

Does the https://packages.drupal.org/8 works with Composer 2? I've been trying yesterday all day long withouth success, I get a segmentation fault whenever I do any composer operation. How can I be sure that that repository is working with Composer 2?

Thanks!

Does Composer2 work with that repository? If not, what are the alternatives?

Yes, as it's still the recommended way to install Drupal with Composer. But maybe not that tag/branch. Drupal 8 is EOL for quite a long time now, you might want to check if you can upgrade.

The segmentation fault might be solved if you do the composer install first with the --no-plugins flag.

"composer install" works just because there is a composer.lock file. It's what "composer create project" does.

The problem is that you cannot update with "composer update" or install additional plugins with "composer require", as it queries packages.drupal.org/8/packages.json and the file does not exist.

If I remove everything from drupal/recommended-project and just keep composer.json, the segfault arises again

/usr/src/myapp/dist $ composer install -vvv
Running 2.2.24 (2024-06-10 22:51:52) with PHP 7.2.19 on Linux / 6.10.4-linuxkit
Reading ./composer.json (/usr/src/myapp/dist/composer.json)
Loading config file ./composer.json (/usr/src/myapp/dist/composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/usr/src/myapp/dist): git branch -a --no-color --no-abbrev -v
Executing command (/usr/src/myapp/dist): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/usr/src/myapp/dist): git log --pretty="%H" -n1 HEAD
Executing command (/usr/src/myapp/dist): hg branch
Executing command (/usr/src/myapp/dist): fossil branch list
Executing command (/usr/src/myapp/dist): fossil tag list
Executing command (/usr/src/myapp/dist): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /var/cache/composer/composer.json

No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Downloading https://packages.drupal.org/8/packages.json
Segmentation fault

Even without installing plugins

/usr/src/myapp/dist $ composer install --no-plugins -vvv
Running 2.2.24 (2024-06-10 22:51:52) with PHP 7.2.19 on Linux / 6.10.4-linuxkit
Reading ./composer.json (/usr/src/myapp/dist/composer.json)
Loading config file ./composer.json (/usr/src/myapp/dist/composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/usr/src/myapp/dist): git branch -a --no-color --no-abbrev -v
Executing command (/usr/src/myapp/dist): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/usr/src/myapp/dist): git log --pretty="%H" -n1 HEAD
Executing command (/usr/src/myapp/dist): hg branch
Executing command (/usr/src/myapp/dist): fossil branch list
Executing command (/usr/src/myapp/dist): fossil tag list
Executing command (/usr/src/myapp/dist): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /var/cache/composer/composer.json

No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Downloading https://packages.drupal.org/8/packages.json
Segmentation fault

I guess that although using composer 2, the file https://packages.drupal.org/8/packages.json should be present.

I've just found out that cURL is also failing with the segfault when querying the remote file.

/usr/src/myapp/dist $ curl "https://packages.drupal.org/8/packages.json" -vvv
*   Trying 151.101.134.217:443...
* TCP_NODELAY set
* Connected to packages.drupal.org (151.101.134.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.drupal.org
*  start date: May 13 20:50:13 2024 GMT
*  expire date: Jun 14 20:50:12 2025 GMT
*  subjectAltName: host "packages.drupal.org" matched cert's "*.drupal.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xaaaad4b22220)
> GET /8/packages.json HTTP/2
> Host: packages.drupal.org
> User-Agent: curl/7.65.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
Segmentation fault

I will investigate more if this is an issue of my dev platform or something related to OpenSSL.

Hi guys

Sorry as it seems to be related to the openssl version shipped with the docker hub image for php:7.2.19-alpine. I'm using the php:7.4-alpine image and it seems that the segfault is not showing again.

Automatically closed - issue fixed for 2 weeks with no activity.