Remove our runtime dependency on composer/composer: remove ComposerUtility

📌 Add new InstalledPackagesList which does not rely on Composer API to get package info Fixed landed.

📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed needs many more sibling issues. 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed is the only one that exists so far — we need those for all validators that currently use ComposerUtility — as mentioned in #autoupdates Drupal Slack yesterday.

The issues in #16 look like they're relevant to removing a composer/composer dependency entirely. However, is there anything left unresolved before we can move composer/composer from require to require-dev? If not, it would be great to do that, close this issue, and open a separate meta for tracking all of the improvements to tests (if our other meta issues aren't already sufficient for that).

However, is there anything left unresolved before we can move composer/composer from require to require-dev

I'd say so. Any use of ComposerUtility in our runtime code (and there's still a lot of that) necessitates a runtime dependency on composer/composer.

Oh, sorry. I see now that 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed is runtime code, not just test code.

Per #3343827-29: Update FixtureManipulator to work with InstalledPackagesList, real composer show command → , 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed and 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed are now unblocked.

While working on 📌 Update FixtureManipulator to work with InstalledPackagesList, real composer show command Fixed , I got pretty confident that we should be able to remove all things ComposerInspector after those land. Let's see how well-founded that confidence was…

That confidence seems to have been pretty well-founded! But as I indicated in #16, this needs many more blocking issues, because we need to refactor away the many remaining uses of Stage::getActiveComposer() and Stage::getStageComposer(), as well as 2 remaining direct uses of ComposerUtility:

The good news is that that should now be easy 😊🤞

This MR is currently +37, -1113, but won't be able to land until the following are done, to address #22:

1. ScaffoldFilePermissionsValidator → 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed
2. ComposerPatchesValidator → 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed
3. Updater → 📌 Updater should use ComposerInspector instead of ComposerUtility Fixed
4. ExtensionUpdater → 📌 ExtensionUpdater should use ComposerInspector instead of ComposerUtility Fixed
5. \Drupal\automatic_updates_extensions\Form\UpdateReady → 📌 \Drupal\automatic_updates_extensions\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed
6. \Drupal\automatic_updates_extensions\Form\UpdaterForm → 📌 \Drupal\automatic_updates_extensions\Form\UpdaterForm should use ComposerInspector instead of ComposerUtility Fixed
7. UpdateReleaseValidator → 📌 UpdateReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed
8. GitExcluder → 📌 GitExcluder should use ComposerInspector instead of ComposerUtility Fixed
9. UnknownPathExcluder → 📌 UnknownPathExcluder should use ComposerInspector instead of ComposerUtility Fixed
10. OverwriteExistingPackagesValidator → 📌 OverwriteExistingPackagesValidator should use ComposerInspector instead of ComposerUtility Fixed
11. SupportedReleaseValidator → 📌 SupportedReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed
12. CollectIgnoredPathsFailValidator → 📌 CollectIgnoredPathsFailValidator should use ComposerInspector instead of ComposerUtility Fixed
13. FakeSiteFixtureTest → 📌 FakeSiteFixtureTest should use ComposerInspector instead of ComposerUtility Fixed
14. StatusCheckTraitTest → 📌 StatusCheckTraitTest should use ComposerInspector instead of ComposerUtility Fixed
15. RequestedUpdateValidator → 📌 RequestedUpdateValidator should use ComposerInspector instead of ComposerUtility Fixed
16. VersionPolicyValidator → 📌 VersionPolicyValidator should use ComposerInspector instead of ComposerUtility Fixed
17. \Drupal\automatic_updates\Form\UpdateReady → 📌 \Drupal\automatic_updates\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed

I think any issue not in package_manager but in automatic_updates can be marked as core-post-mvp
Worst case scenario we could move ComposerUtility into automatic_updates as this will not be going into core first
so please work on package_manager issues first

Sure, but … until the ones in AU/AUE are removed … we cannot actually remove the composer/composer dependency 🙈 So not impossible, but definitely would leave things in a confusing state, although 📌 Finalize \Drupal\automatic_updates\Development\Converter script to update core MR Fixed could compensate for it for the package_manager-only MR.

@joachim very interesting!

What if someone runs a command from the terminal with `--no-plugins`? I don't think we could stop that. Won't this list then be out of date because the yml file not be updated? I guess maybe to get around that you could store a hash of the `composer.lock` in the yml file from that last time the .yml was updated and then anyone reading the file could check it is up-to-date. But still it would be out of date whether you detect I am not sure helps

Landed:

• 📌 VersionPolicyValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 \Drupal\automatic_updates_extensions\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed

Joined by:

📌 RequestedUpdateValidator should use ComposerInspector instead of ComposerUtility Fixed
📌 ExtensionUpdater should use ComposerInspector instead of ComposerUtility Fixed

📌 UpdateReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed landed.

📌 \Drupal\automatic_updates_extensions\Form\UpdaterForm should use ComposerInspector instead of ComposerUtility Fixed landed.

As did 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed .

📌 GitExcluder should use ComposerInspector instead of ComposerUtility Fixed landed.

📌 UnknownPathExcluder should use ComposerInspector instead of ComposerUtility Fixed landed.

Added 📌 Stage::validatePackageNames() should not use the Composer API Fixed .

The final blockers are in: 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed and 📌 Remove FixtureManipulator::modifyPackage() last usage Fixed .

I haven't got 📌 Stage::validatePackageNames() should not use the Composer API Fixed done yet, but I don't think we need to wait for that. Here's why: Composer won't accept a bad constraint, as far as I know. Even if you do composer require --no-update. So although it's not very sophisticated, I think the very, very basic validation we have in this merge request is sufficient. In 📌 Stage::validatePackageNames() should not use the Composer API Fixed , I'll restore it by checking against a regex that Composer itself supplies, and using the VersionParser class, which is a safe runtime dependency provided by core.

But I don't see any reason we should keep ComposerUtility around a day longer. Self-assiging to finish this now and rip it out.

Hmmm...we might still be blocked by validatePackageNames(). The basic str_contains($package_name, '/') validation is not good enough, because it doesn't allow for platform packages, or other legitimate requirements that Composer supports which don't follow that format.

The original plan outlined in the issue summary -- writing the requirements to an alternate composer.json and calling validate on it -- might be the best approach here.

Yeah, sorry, folks -- this is blocked by 📌 Stage::validatePackageNames() should not use the Composer API Fixed .

However, I'm leaving that one in a reviewable state. Once it's committed, the MR here should pass without any problem.

There are a bunch of mentions to installed.json and installed.php left after this MR:

• 99% of them occur in FixtureManipulatorTest (for example to verify that the original fixture's installed.json and installed.php are unchanged)
• 1% in TemplateProjectTestBase (to help generate a composer project from scratch for Build tests)

I think these can all be factored away, but … that doesn't block removing the composer/composer dependency, so that's out of scope for this issue. So created follow-up issues for both:

• 📌 Remove FixtureManipulatorTest's reliance on installed.json and installed.php Fixed
• 📌 Use Composer commands instead of parsing installed.json in TemplateProjectTestBase Fixed

📌 Stage::validatePackageNames() should not use the Composer API Fixed is in, updating this MR… 🥳

Turns out that those failures are being triggered by @phenaproxima's nice simplification in \Drupal\fixture_manipulator\FixtureManipulator::removePackage() … but that simplification was right!

Apparently somehow composer require some/package --no-update works even for require-dev packages, but only if there's a separate subsequent composer update!

@phenaproxima changed it to do composer require some/package (without the subsequent composer update), and that now fails. This is simple enough to fix though: make sure we pass TRUE to FixtureManipulator::removePackage() calls if they're for require-dev packages.

Fixed in the commit I just pushed!

There is not a single contentious thing in here. It's deleting code that's effectively unused in HEAD.

The diffstat speaks for itself:

+25 -967

The only "change" that is introduced here is described in #46. And adding docs. Those are the last 2 commits. They're tiny in the grand scheme of things.

@phenaproxima did not spot problems in his reviews last night (see #40–#43).

Therefore, going ahead and merging this, so we can get a green core merge request going at ✨ Add Alpha level Experimental Package Manager module Needs review ! 🚀

🚢

Automatically closed - issue fixed for 2 weeks with no activity.