Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage

Created on 2 December 2021, about 3 years ago
Updated 21 February 2023, almost 2 years ago

Problem/Motivation

https://github.com/cweagans/composer-patches is widely used but we probably can't offer full support.

Proposed resolution

Possible solutions:

  1. Do nothing in code but have handbook page to describe possible problems
  2. Make a validator that doesn't allow updates if the this library is installed. In this case more complex use cases could remove this validator if they want to support it.
  3. Check for composer-exit-on-patch-failure to make sure it will error out and warn or error if not set
  4. check to see if core in patched and warn or error
  5. check the patches applied in stage and make sure they are applied the same as active


โ†’ this problem has been addressed by ๐Ÿ“Œ Limit trusted Composer plugins to a known list, allow user to add more Fixed and will be fully addressed once ๐Ÿ“Œ Tighten ComposerPluginsValidator: support only specified version constraint Fixed is done.


โ†’ Automatic Updates will never modify the extra section of composer.json, so that is a non-concern โ€” combined with composer-exit-on-patch-failure, plus the protection against installing/uninstalling cweagans/composer-patches means this is all addressed.

We should not check that the same set of patches is applied. Because package_manager is a very general module; there very well may be a patch_manager module at some point in the future which will allow adding/removing patches listed in extra ๐Ÿค“

To be clear: we only need to address this problem thoroughly enough to be included in core. That means we don't need to solve the problem from every angle; we just need to make this "good enough" for the majority of sites. Even a simple warning about composer-exit-on-patch-failure might be enough for core's purposes. We can leave very robust solutions to contrib.

At this point, we've done much more than this โ€” we're validating that::

  1. composer-exit-on-patch-failure is enabled
  2. cweagans/composer-patches is required in the root composer.json โ€” i.e. not indirectly
  3. cweagans/composer-patches cannot be installed nor removed through Package Manager โ€” it can only be enabled manually

โ€ฆ which combined with ๐Ÿ“Œ Limit trusted Composer plugins to a known list, allow user to add more Fixed and ๐Ÿ“Œ Tighten ComposerPluginsValidator: support only specified version constraint Fixed does guarantee that the use of cweagans/composer-patches cannot result in a site getting broken through either Automatic Updates or Project Browser.

Remaining tasks

๐Ÿ“Œ Task
Status

Fixed

Version

2.0

Component

Code

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024