Drupal 10 Core Roadmap for Automatic Updates

📌 Split up UpdaterFormTest to speed up test runs: from 13.5 to 10.5 minutes Fixed landed!

(And moved [#319679] + 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed + #317815: cannot change php or .htaccess file, cannot find code mentioned → from the bucket to the bucket.)

📌 Add documentation for SymlinkValidatorTest Fixed landed (and moved it from the bucket to the bucket).

Added 🐛 Harden LockFileValidator, add stopPropagation() at failures Closed: outdated (discovered by @omkar.podey) to .

Added 📌 Add addDotGitFolder functionality to \Drupal\fixture_manipulator\FixtureManipulator Fixed to , which is the new blocker for 🐛 GitExcluder should not ignore .git directories that belong to packages installed by Composer Fixed that @tedbow identified.

🐛 Automatic Updates & Package Manager should use DependencySerializationTrait when needed Closed: outdated is now obsolete thanks to other issues having landed ⇒ 📌 Fix PHP Warning: serialize() in tests on PHP 8 Fixed is unblocked.

Added 🐛 The 'fake_site' fixture cannot be using with `composer show` because the packages are not installed Fixed to .

Landed:

• 📌 Add error handling for \Drupal\package_manager\Stage::getIgnoredPaths() Fixed
• 📌 package_manager_bypass should *minimally* bypass php-tuf/composer-stager, not maximally Fixed

merged 📌 Add addDotGitFolder functionality to \Drupal\fixture_manipulator\FixtureManipulator Fixed

Added 📌 Update Package Manager event documentation in package_manager.api.php Fixed to .

🐛 GitExcluder should not ignore .git directories that belong to packages installed by Composer Fixed landed 🥳

Added 📌 Identify & vet commonly used composer plugins in the Drupal ecosystem Active to post-MVP.

🐛 phpcs stopped working since the switch to testing on Drupal 10.0.x by default Fixed landed 🎆

Landed:

• 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed
• 📌 ComposerSettingsValidator should run `composer config` to determine if HTTPS is enabled Fixed

Improving consistency of the buckets that are done 🥳

New MVP issue: 📌 Add functional test that proves there is reasonable UX whenever a stage event subscriber has an exception Fixed .

New post-MVP issues:

• 📌 Drupal core's coding standards forbid translated exceptions, but does that anyway — f.e. FileValidationException Active
• 📌 Add build test to test cweagans/composer-patches end-to-end Closed: won't fix

📌 Remove all fixtures except for one: `fake_site` Fixed landed and triggered a new post-MVP issue: 🐛 Document that StageFixtureManipulator should not be used in build tests Active .

Added 📌 Do not allow drupal/core-composer-scaffold to be used by packages other than core Fixed .

📌 Improve the user experience of having your staged update deleted before it was applied Fixed landed, which means we have no further known MVP UX improvement issues on the roadmap! 🎉

Added 🐛 "Composer not found" does provide link to help page Fixed .

📌 Limit trusted Composer plugins to a known list, allow user to add more Fixed and 🐛 The 'fake_site' fixture cannot be using with `composer show` because the packages are not installed Fixed landed!

Added many MVP issues created in the past 10 days that were still missing from the roadmap:

1. 📌 Dynamically copy scaffold file mapping when create fake_site fixture Fixed
2. 🐛 Random failure: "PHP temp directory (/tmp) does not exist or is not writable to Composer." Fixed
3. 🐛 Always show summary of validation result if exists Fixed
4. 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed
5. 📌 PackageManagerKernelTestBase::assertResults does not show actual results if none were expected. Fixed (already solved)
6. 📌 PackageManagerKernelTestBase::assertResults does not give helpful error message if asserting results are empty fails Fixed (already solved)
7. 📌 Assert no errors after creating the test project in ModuleUpdateTest Needs review

Added 📌 Tighten ComposerPluginsValidator: support only specified version constraint Fixed .

🐛 Validate compliance with composer minimum stability during PreRequireEvent Fixed landed.

🐛 Always show summary of validation result if exists Fixed landed.

🐛 Harden LockFileValidator, add stopPropagation() at failures Closed: outdated was closed.

Landed:

1. 📌 Update Package Manager event documentation in package_manager.api.php Fixed
2. 📌 Improve documentation for package_manager_bypass test module Fixed
3. 🐛 "Composer not found" does provide link to help page Fixed

📌 Exclude unknown paths in project base: only allow vendor + web root + whatever drupal/core-composer-scaffold allows Fixed landed.

📌 Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage Fixed shipped 🚢

New MVP issues created since #67 that I was not aware of previously:

1. 🐛 anonymous ProcessOutputCallbackInterface class ComposerInspector::getConfig() assumes __invoke does receive any data in error buffer Closed: duplicate
2. 🌱 Tag 8.x-2.7, and move development to new 3.x branch to focus on Core inclusion Fixed — already finished
3. 📌 Document when PostApplyEvent should be used instead of hook_update_n() or post update RTBC
4. 📌 Update requirements for 3.x Fixed

Added 📌 Always catch \Throwable, not \Exception, and pass the old exception when re-throwing. Fixed .

📌 Remove our runtime dependency on composer/composer: remove ComposerUtility Fixed was listed twice! 🙈

Adding 📌 Finalize \Drupal\automatic_updates\Development\Converter script to update core MR Fixed .

Adding 🌱 Drupal 10 Core Roadmap for Automatic Updates Active .

📌 Update requirements for 3.x Fixed and 📌 Adopt PHP 8.1-only capabilities such as constructor property promotion + drop BC layers Fixed landed.

Adding

1. 🐛 Fix PHPStan violations (happened because PHPStan code checks stopped running…) Fixed
2. 📌 Rename validator methods to `validate` unless there different methods for different events Fixed
3. 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed

📌 Stage no longer needs the config factory Closed: duplicate happened in 📌 Adopt PHP 8.1-only capabilities such as constructor property promotion + drop BC layers Fixed 👋

(Also: #80 was wrong 😅 — got it right and all up-to-date in #82, but still have to undo what I did in #80.)

29 remain (34 actually remain, but of which 5 are postponed because we want to land package_manager first)

Adding

1. 🐛 Hard failure after module install if composer is not found Needs review
2. ✨ Make StageEvent::$stage a public readonly property, and remove getStage() Fixed
3. 🐛 $tempStore property of stage was removed Fixed — already fixed

30 remain (35 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

completed 📌 Mark FailureMarker @internal and document ComposerUtility, PathLocator and ValidationResult Fixed

✨ Make StageEvent::$stage a public readonly property, and remove getStage() Fixed also landed.

Adding 🐛 UnknownPathExcluder doesn’t consider hidden files Fixed and 📌 Decide which classes should be internal and/or final — delete ExcludedPathsTrait, make CollectPathsToExcludeEvent richer Fixed .

30 remain (35 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

Moved one issue to the right place.

📌 Remove `@requires PHP >= 8.0` annotation from all tests Fixed and 🐛 UnknownPathExcluder doesn’t consider hidden files Fixed landed!

28 remain (33 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

Landed:

1. 📌 Rename validator methods to `validate` unless there different methods for different events Fixed
2. 📌 Add new InstalledPackagesList which does not rely on Composer API to get package info Fixed — Which was somehow missing?!?! 😱 → unblocked several issues: 📌 Tighten ComposerPluginsValidator: support only specified version constraint Fixed and 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed (which in turn blocks another issue).

Closed: 🐛 anonymous ProcessOutputCallbackInterface class ComposerInspector::getConfig() assumes __invoke does receive any data in error buffer Closed: duplicate .

26 remain (31 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

New: 📌 Create an API for base requirement validators which run before other validators and stop event propagation if they fail Fixed , blocking 🐛 Hard failure after module install if composer is not found Needs review .

27 remain (32 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

A lot has happened in the past 48 hours!

Landed:

1. 📌 Dynamically copy scaffold file mapping when create fake_site fixture Fixed
2. 📌 Always catch \Throwable, not \Exception, and pass the old exception when re-throwing. Fixed
3. 📌 Refine multisite detection: many aliases for a single site is fine! Fixed
4. 🐛 Fix PHPStan violations (happened because PHPStan code checks stopped running…) Fixed

New:

1. 📌 Stop reusing core's commit-code-check.sh in favor of 4 simple commands Fixed — already landed
2. 📌 Validate fake_site with composer Fixed — already landed
3. 📌 Benchmark how slow using composer require would be in kernel tests Fixed
4. 📌 Update FixtureManipulator to work with InstalledPackagesList, real composer show command Fixed
5. 🐛 Drop support for end-of-life versions of Composer Fixed
6. 📌 Add a validate() method to ComposerInspector to ensure that Composer is usable Fixed
7. 📌 Run `composer validate` after FixtureManipulator commits its changes Fixed

28 remain (33 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

I learned from @Wim Leers and @tedbow that some of the issues in the alpha blockers list are a consequence of trying to remove the dependency on composer/composer within tests. I just want to point out that the scope of 📌 Remove our runtime dependency on composer/composer: remove ComposerUtility Fixed is to remove the runtime dependency on that. It's okay to leave composer/composer as a dev dependency, since it already is that for core anyway.

So if it helps to move some of the issues for refactoring tests to not use composer/composer to post-alpha, I'd be +1 to that, so long as we think that the tests are still sufficiently reliable without that refactoring.

Landed 📌 Add a validate() method to ComposerInspector to ensure that Composer is usable Fixed .

Added 📌 Make ComposerInspector::getVersion() private Fixed .

Landed: 📌 Make ComposerInspector::getVersion() private Fixed

Added:

• 📌 ComposerInspector::validate() should throw ComposerNotReadyException instead of \Exception Fixed
• 📌 ComposerInspector::validate() should run `composer validate` Fixed
• 📌 Do not disable package_manager.validator.composer in tests Fixed — already landed

28 remain (33 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Run `composer validate` after FixtureManipulator commits its changes Fixed landed.

@tedbow, @Wim Leers, @lauriii, and I met and discussed the alpha vs beta classification of many of the issues.
The issues that were moved to a new Beta section are no less important to the codebase or the end user, but they could happen after an initial commit to a dev branch of core.

See https://www.drupal.org/about/core/policies/core-change-policies/experime... → for more distinction on alpha vs beta.

Wim Leers → credited lauriii → .

Thanks — #96 + #98 look great!

And thanks for fixing what I got wrong in #97! 🙈😄

Credited @lauriii because @tim.plunkett did not have the necessary permissions.

Landed: 📌 ComposerInspector::validate() should run `composer validate` Fixed

• package_manager: alpha: 11 remain
• package_manager + automatic_updates: alpha + beta: 27 remain (32 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Remove dependency on symfony/finder Fixed was blocked for months. It's now unblocked. That's why it's now also clear that we won't need an issue to add symfony/finder as a new core dependency. But we will need that for symfony/config. I already reported that on Dec 9.

@longwave already responded favorably. I just posted a patch there, and am adding it to this issue.

I'm also making it more clear which issues are core issues already — of the 12 remaining (now 13), there are 3 core issues. Finally: this did not yet link to the issue where this module will be added to core: ✨ Add Alpha level Experimental Automatic Updates module Needs work . Fixed that too.

• package_manager alpha blockers: 13 remain, 10 are under our control, 3 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 28 remain (33 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

🐛 Drop support for end-of-life versions of Composer Fixed landed while I was writing #102 🚀

• package_manager alpha blockers: 12 remain, 9 are under our control, 3 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 27 remain (32 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Remove dependency on symfony/finder Fixed landed.

Removing 📌 Add symfony/config to core's dependencies for package_manager Closed: duplicate in favor of 📌 Remove dependency on symfony/config Fixed , which sidesteps the problem completely and doesn't require core (or Package Manager!) to add additional dependencies.

📌 Remove dependency on symfony/config Fixed landed!

Indeed! 😊

• package_manager alpha blockers: 10 remain, 8 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 25 remain (30 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Refactor exception architecture Fixed is done!

📌 Update FixtureManipulator to work with InstalledPackagesList, real composer show command Fixed landed, and unblocked 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed + 📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed .
📌 Create an API for base requirement validators which run before other validators and stop event propagation if they fail Fixed landed

New beta blockers:

• 🐛 PackageManagerKernelTestBase::assertResults ignores event class Fixed — already landed
• 🐛 InstalledPackage::$path for metapackages should be NULL Fixed
• 🐛 Update every ComposerValidator-dependent validator to have explicit test coverage that that dependency works Needs work

New beta blockers which are blocking 📌 Remove our runtime dependency on composer/composer: remove ComposerUtility Fixed (see #3316368-23: Remove our runtime dependency on composer/composer: remove ComposerUtility → ):

• 📌 Updater should use ComposerInspector instead of ComposerUtility Fixed
• 📌 ExtensionUpdater should use ComposerInspector instead of ComposerUtility Fixed
• 📌 \Drupal\automatic_updates_extensions\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed
• 📌 \Drupal\automatic_updates_extensions\Form\UpdaterForm should use ComposerInspector instead of ComposerUtility Fixed
• 📌 UpdateReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 GitExcluder should use ComposerInspector instead of ComposerUtility Fixed
• 📌 UnknownPathExcluder should use ComposerInspector instead of ComposerUtility Fixed
• 📌 OverwriteExistingPackagesValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 SupportedReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 CollectIgnoredPathsFailValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 FakeSiteFixtureTest should use ComposerInspector instead of ComposerUtility Fixed
• 📌 StatusCheckTraitTest should use ComposerInspector instead of ComposerUtility Fixed
• 📌 RequestedUpdateValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 VersionPolicyValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 \Drupal\automatic_updates\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed

Forgot to move 📌 Update FixtureManipulator to work with InstalledPackagesList, real composer show command Fixed !

• package_manager alpha blockers: 9 remain, 8 are under our control, 3 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 39 remain (44 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Remove our runtime dependency on composer/composer: remove ComposerUtility Fixed is listed as an alpha blocker, which would make the 15 new beta blockers at the bottom of #109 actually alpha blockers. But @tim.plunkett, @lauriii, @tedbow and I kept #3316368 as an alpha blocker — I because proving that it can in fact be removed is an alpha blocker, but actually finishing it is not? We need to get clarity on this.

Landed:

• 📌 VersionPolicyValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 \Drupal\automatic_updates_extensions\Form\UpdateReady should use ComposerInspector instead of ComposerUtility Fixed

⇒

• package_manager alpha blockers: 17 remain, 15 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 31 remain (36 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

Landed:

• 📌 RequestedUpdateValidator should use ComposerInspector instead of ComposerUtility Fixed
• 📌 ExtensionUpdater should use ComposerInspector instead of ComposerUtility Fixed

⇒

• package_manager alpha blockers: 15 remain, 13 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 29 remain (34 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

I see I failed to mention that my proposal to close #3342430 as outdated in #3342430-19: Hard failure after module install if composer is not found → has been accepted at #3342430-27: Hard failure after module install if composer is not found → — one less! 👍

⇒

• package_manager alpha blockers: 14 remain, 12 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 28 remain (33 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 UpdateReleaseValidator should use ComposerInspector instead of ComposerUtility Fixed landed.

📌 \Drupal\automatic_updates_extensions\Form\UpdaterForm should use ComposerInspector instead of ComposerUtility Fixed landed.

⇒

• package_manager alpha blockers: 12 remain, 10 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 26 remain (31 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility Fixed landed.

⇒

• package_manager alpha blockers: 11 remain, 9 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 25 remain (30 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 GitExcluder should use ComposerInspector instead of ComposerUtility Fixed landed.

⇒

• package_manager alpha blockers: 10 remain, 8 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 24 remain (29 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

@tedbow discovered a new alpha blocker: 🐛 FixtureManipulator should only use Composer commands, rather than manipulating JSON directly Fixed .

😬

🐛 FixtureManipulator should only use Composer commands, rather than manipulating JSON directly Fixed is done!

And so is 📌 UnknownPathExcluder should use ComposerInspector instead of ComposerUtility Fixed .

Also clarifying the the alpha roadmap is for ✨ Add Alpha level Experimental Package Manager module Needs review since we first want to land Package Manager in 10.1 to enable Project Browser to also land in 10.1 because Automatic updates is blocked on d.o infrastructure and will definitely not make 10.1. ✨ Add Alpha level Experimental Automatic Updates module Needs work is slated for 10.2 at this point.

⇒

• package_manager alpha blockers: 9 remain, 7 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 22 remain (27 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

Landed:

1. 📌 Remove FixtureManipulator::modifyPackage() last usage Fixed
2. 📌 ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility Fixed

@phenaproxima opened a new blocker for #3316368: 📌 Stage::validatePackageNames() should not use the Composer API Fixed .

⇒

• package_manager alpha blockers: 8 remain, 6 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 21 remain (26 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

Landed:

• 📌 Stage::validatePackageNames() should not use the Composer API Fixed
• 📌 Remove our runtime dependency on composer/composer: remove ComposerUtility Fixed

⇒

• package_manager alpha blockers: 6 remain, 4 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 19 remain (24 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

🐛 Random failure: "PHP temp directory (/tmp) does not exist or is not writable to Composer." Fixed landed.

⇒

• package_manager alpha blockers: 5 remain, 4 are under our control, 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 18 remain (23 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Define the Package Manager API (package_manager.api.php is outdated) Fixed is in; docs gate is cleared!

📌 Define the Package Manager API (package_manager.api.php is outdated) Fixed landed!

⇒

• package_manager alpha blockers: 4 remain, 1 is under our control, 1 is blocked on upstream (Composer Stager), 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 18 remain (23 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 ComposerInspector::validate() should throw ComposerNotReadyException instead of \Exception Fixed landed and was a beta blocker.

Adding 🐛 ComposerPluginsValidator uses Composer's internal Package class Fixed as an alpha blocker, which should have been fixed as part of removing our dependency on composer/composer, but slipped through the cracks.

fixed 🐛 ComposerPluginsValidator uses Composer's internal Package class Fixed

We will need 📌 Ensure all remaining @todos have a link to an open issue Fixed before we can get core merge

quickly fixed #3319768: Document why using dblog to query logged messages in build tests is justified →

I think you meant 🐛 In CoreUpdateTest::testUi, confirm that the UI says no update is available after updating successfully Fixed ? 😁

📌 Finalize \Drupal\automatic_updates\Development\Converter script to update core MR Fixed landed.

⇒

• package_manager alpha blockers: 3 remain: 1 is blocked on upstream (Composer Stager), 2 are issues to add core dependencies
• package_manager + automatic_updates alpha + beta blockers: 15 remain (20 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

📌 Add colinodell/psr-test-logger to core's dev dependencies Fixed is in.

That leaves two remaining alpha blockers, both of which are blocked on a new tag of Composer Stager. 😎

I just merged 📌 Tighten ComposerPluginsValidator: support only specified version constraint Fixed . Nice to get that beta blocker in!

🐛 Unhandled Composer Stager exceptions leave the update process in an indeterminate state Fixed and 📌 Add symlink support to Composer Stager 2.0, require that version, and simplify UX & tests accordingly Fixed are in.

That means we are down to our last remaining alpha blocker...and it's something that requires review from core committers. 😎

Added 📌 Fix remaining @todos in ComposerPluginsValidatorTest Fixed for beta target

🐛 InstalledPackage::$path for metapackages should be NULL Fixed landed.

⇒

• package_manager alpha blockers: 1 remains: an issues to add a core dependency
• package_manager + automatic_updates alpha + beta blockers: 10 remain (15 actually remain, but 5 of these are automatic_updates-specific and hence postponed because we want to land package_manager first)

added

1. 📌 Allow JsonProcessOutputCallback and other Composer runner callbacks to gracefully handle deprecated command options Fixed
2. 🐛 ComposerMinimumStabilityValidator doesn't check dev packages Fixed - even without this you can't install packages below the stability. just checking the error early
3. 📌 Assert status checks pass as early as possible in kernel and functional tests Closed: outdated
4. 📌 Optimize Composer calls in FixtureManipulator Closed: works as designed
5. 🐛 Validate PHP version to be used by the Composer process calls Needs work
6. 📌 Ensure all remaining @todos have a link to an open issue Fixed
7. 📌 Fix remaining @todos in ComposerPluginsValidatorTest Fixed
8. 📌 Autowire everything everywhere all at once … in *Test.php files Fixed
9. 📌 Autowire everything everywhere all at once … in *.services.yml files Fixed

Changing 📌 Add a validator to check that PHP-TUF's Composer integration is present and configured correctly Fixed to an alpha requirement as per 🌱 [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? Needs review

I put a comment on #3316617-29: If unattended updates are enabled, ensure PHP-TUF Composer integration is present → that we need to confirm our assumptions on that issue with core policy

📌 Do not allow drupal/core-composer-scaffold to be used by packages other than core Fixed is in!

Removing a duplicate item from the roadmap.

Whoops, removed the wrong thing.

📌 Autowire everything everywhere all at once … in *Test.php files Fixed is done too.

📌 Autowire everything everywhere all at once … in *.services.yml files Fixed landed.

added 📌 Harden our HTTPS requirement Fixed

🐛 ComposerMinimumStabilityValidator doesn't check dev packages Fixed is in.

📌 Rip out the update path Fixed

📌 Rip out the update path Fixed is in.

📌 Allow JsonProcessOutputCallback and other Composer runner callbacks to gracefully handle deprecated command options Fixed is done! 🎉

📌 Ensure all remaining @todos have a link to an open issue Fixed is in too! Yeah!!!

The monumental 📌 Rename Stage to StageBase to clarify its relationship to its subclasses, and add "Stage" suffix to the Updater classes Fixed landed!

📌 Fix remaining @todos in ComposerPluginsValidatorTest Fixed is done.

Removing 📌 Add functional test that proves there is reasonable UX whenever a stage event subscriber has an exception Fixed and adding 📌 Add functional test that proves there is reasonable UX whenever Composer Stager operations have a hard failure Fixed in its place.

Hey, look at that: alpha-blocking security-related 📌 Harden our HTTPS requirement Fixed is in! 🎉

New alpha-blocking security-related issue: 📌 Flag a warning during status check if the OpenSSL extension is not enabled Fixed — related to 📌 Harden our HTTPS requirement Fixed that landed previously.

📌 Flag a warning during status check if the OpenSSL extension is not enabled Fixed is in.

🐛 str_starts_with($path, '/') does not correctly detect absolute paths on Windows Fixed

🐛 ComposerValidator's hook_help() integration is imprecise and incomplete Fixed
📌 Ensure exceptions thrown by event subscribers are logged Fixed
📌 Package Manager should keep an audit log of changes it applied to the active codebase Fixed

🐛 str_starts_with($path, '/') does not correctly detect absolute paths on Windows Fixed and 📌 Decide which classes should be internal and/or final — delete ExcludedPathsTrait, make CollectPathsToExcludeEvent richer Fixed are in!

📌 Add a validator to check that PHP-TUF's Composer integration is present and configured correctly Fixed is done too.

added 📌 If an error occurs during an attended process, delete the stage on behalf of the user Needs review

Completed 📌 Switch failure marker file from *.json to *.yml to prevent it from being readable from the web Fixed

This roadmap has not been updated in almost a month.

📌 Enable unattended updates Fixed landed, and so did 📌 Add functional test that proves there is reasonable UX whenever Composer Stager operations have a hard failure Fixed and 🐛 ComposerValidator's hook_help() integration is imprecise and incomplete Fixed . 📌 Optimize Composer calls in FixtureManipulator Closed: works as designed was closed as was 📌 Add build test to test cweagans/composer-patches end-to-end Closed: won't fix .

AFAICT missing:

1. 📌 Use the rsync file syncer by default Fixed
2. 📌 Add Symfony Console command to allow running cron updates via console and by a separate user, for defense-in-depth Fixed
3. 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed

AFAICT obsolete:

• 📌 Research alternatives to curl request on post apply event during cron updates Closed: outdated
• 🐛 automated_cron should not run cron when visiting update.php Active

Moved 📌 Enable unattended updates Fixed to completed.

Added a nice green checkmark to the Core Alpha Experimental blockers for Automatic Updates section :)

Removed the green checkmark from the Security section of package manager alpha blockers, since there's an open issue in that section.

Added some more core and infrastructure issues to the package manager alpha blockers list.

Moved the following to Completed:

• 📌 Add functional test that proves there is reasonable UX whenever Composer Stager operations have a hard failure Fixed
• 📌 Package Manager should keep an audit log of changes it applied to the active codebase Fixed
• 🐛 ComposerValidator's hook_help() integration is imprecise and incomplete Fixed

Removed the following, but did not move to Completed, as they were closed without fixing.

• 📌 Optimize Composer calls in FixtureManipulator Closed: works as designed
• 📌 Add build test to test cweagans/composer-patches end-to-end Closed: won't fix

Added:

• 📌 Use the rsync file syncer by default Fixed
• 📌 Add Symfony Console command to allow running cron updates via console and by a separate user, for defense-in-depth Fixed
• 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed

For the two possibly obsolete issues mentioned in #171, I added notes by them that they might be obsoleted by 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed , but I didn't remove them from the list in case 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed doesn't work out for whatever reason (though I think it will work out).

I think all points from #171 were resolved, so removing the assignment to @tedbow that that comment added. @tedbow: please feel free to reassign to yourself if there's something else you want to update here.

Added:

• 📌 Override Composer Stager's TranslatableFactory to return Drupal's TranslatableMarkup Fixed
• 📌 [PP-1] Require PHP-TUF's Composer integration plugin Postponed

Issues tagged core-mvp that aren't in the issue summary. Either they should be added to the issue summary or their core-mvp tag needs to be removed:

• 📌 In Core build tests have core module change a service class constructor Active
• 📌 Limit non-stable releases to RCs on updater form Closed: duplicate
• 📌 Update ProcessOutputCallback to fail on Composer deprecations, to get early notifications of Composer changes Postponed
• 📌 Determine if the PHP syncer can and should be the default file copier Needs work
• 📌 Document PACKAGE_MANAGER_FAILURE.yml in https://www.drupal.org/docs/8/update/automatic-updates Needs review
• 📌 Since #3361983 was committed to Drupal core, psr/http-message needed to be explicitly required for build tests Needs work
• 📌 Is it an error if drupal/core has no scaffold file mappings? Active
• 🐛 As of Composer 2.5.5, `composer config` JSON-encodes boolean values Fixed
• 🐛 PHPStan error in core merge request conversion Closed: outdated

Added 🌱 [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser) Fixed and 🌱 [policy, no patch] Should Package Manager require Composer HTTPS? Active as alpha-blocking policy questions in the core queue.

Added https://github.com/php-tuf/composer-stager/issues/68 to the testing section of the alpha blocker list. I think it's important for us to know the approximate time it takes to execute the full set of preconditions and make a decision on whether that's acceptable or needs optimization or refactoring. If full automation turns out to be too large a task, we can discuss alternate ideas for how to satisfy the alpha-blocking concern but let's see how that issue progresses first.

1. @effulgentsia re #182 why would that issue be an Alpha blocker as opposed to Stable or Beta? It is because it slow core's test down? It seems like an Alpha module should not have to have all the performance problems already solved.
2. Removed 🐛 Hosting environment (e.g. cPanel) may add additional files (including symlinks) to the project, which breaks AU Postponed: needs info . We now support most symlinks since 📌 Add symlink support to Composer Stager 2.0, require that version, and simplify UX & tests accordingly Fixed and we exclude must paths in the base of the project as reported in this issue since 📌 Exclude unknown paths in project base: only allow vendor + web root + whatever drupal/core-composer-scaffold allows Fixed . The issue is postponed instead of fixed to allow the original posted to report back but we aren't aware of remaining problems
3. Moving 🐛 Update every ComposerValidator-dependent validator to have explicit test coverage that that dependency works Needs work to Stable blocker
4. Moving 🐛 Validate PHP version to be used by the Composer process calls Needs work to Stable blocker. We have only seen this once. @phenaproxima is going to propose a simpler solution on the issue
5. Leaving 📌 Make readiness check failure messages clear, consistent, and actionable Needs work as stable blocker for now but I asked for an issue summary update to clarify exactly what the problem is. Depending on the result we may take it out of the roadmap
6. Removed 📌 Improve UX for trusting additional composer plugins Active . This is really a feature request that could be done after stable. Also not clear we want to move the ability to opt-in composer plugins to the UI as understanding the compatibility concerns requires deep understanding of how the system works
7. 🐛 Document that StageFixtureManipulator should not be used in build tests Active removing. This is testing request. The tests would be totally fine if we never did this. Assigned to myself to see if we can just close this issue

📌 Override Composer Stager's TranslatableFactory to return Drupal's TranslatableMarkup Fixed is in; our final translatability blocker!

📌 Remove work arounds for 10.0.x support Fixed . This is should a small issue we can do at anytime but would make use not compatible with 10.0.x. Being compatible with 10.0.x makes us be able to do minor updates in the contrib module

Moved these to Done:

• 📌 Add Symfony Console command to allow running cron updates via console and by a separate user, for defense-in-depth Fixed
• GH-CS-68: Perform and automate performance testing of Composer Stager's preconditions
• 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed

Removed these, since they were closed as outdated:

• 📌 Research alternatives to curl request on post apply event during cron updates Closed: outdated
• 📌 Assert status checks pass as early as possible in kernel and functional tests Closed: outdated

Removed all of the alpha-blocking categories with no remaining issues in them, and replaced them with a "Miscellaneous" category, for easier scanning.

Minor formatting tweaks.

Removing the "contrib-only" tag. Not sure what its intended meaning was earlier in this issue's history, but at this point, this issue is all about tracking what's needed to get Automatic Updates into core.

Removed 🐛 automated_cron should not run cron when visiting update.php Active as obsoleted by 📌 For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits Fixed .

Replaced 🌱 [policy, no patch] Should Package Manager require Composer HTTPS? Active with its child issue 🌱 [policy, no patch] Disallow using Package Manager (and therefore Automatic Updates and Project Browser) when Composer's disable-tls setting is true Needs review .

Added 🌱 [policy, no patch] Consider whether to keep Package Manager and Automatic Updates in a separate repo/package than core in order to facilitate releasing updates to the updater Needs review as another alpha-blocking policy question.

added #3352216: Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly →

Made it clear we are blocked on 📌 [policy, no patch] Use Update XML in Package manager to determine release support status Active for our path to core

Adding 🌱 [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? Needs review to our roadmap because this issue to our roadmap because even though I assume this has been decided the issue has not actually been closed, so it would be good to get clarity

Completed 📌 Document when PostApplyEvent should be used instead of hook_update_n() or post update RTBC

Fixed 📌 Ensure exceptions thrown by event subscribers are logged Fixed , 📌 Should we only show RC for pre-releases of core in the form? Active

Removing 📌 Assert no errors after creating the test project in ModuleUpdateTest Needs review . It is still open but now only affects automatic_updates_extensions

Fixed 🌱 [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser) Fixed and added newly created 📌 Require not just reccomend openssl extensions Active

Added 📌 Add getType to StageBase to allow subclasses to be internal Needs review

Moving completed issues to the completed section.

Finished 🐛 Create a test (or tests) to prove Package Manager works with submodules as implemented by packages.drupal.org Fixed

Updating "Core Merge request planning"

Is this roadmap still current or is there a better one?

@Gábor Hojtsy it is not current but this is the only one. I need to update it

This should be in the core queue, and it could really use an update.

I opened 📌 Package manager/ Automatic Updates should disallow composer patches by default Active which should be either beta or stable blocking, added it to a new 'beta blockers' heading for now.

Is 🐛 Exceptions in batch no longer are shown on the page when Javascript is disabled Needs work still blocking? It should have been fixed since 🐛 Only set content-length header in specific situations Fixed but no updates on there or here since.

@lauriii mentioned that it can be tricky to keep an issue summary up to date with a lot of issues to track and suggested a spreadsheet. I personally find d.o issues in spreadsheets hard to track because you can't immediately see the issue status (or maybe you can if you integrate the spreadsheet cells with d.o but that can be flaky).

To try to compromise I made 'package manager alpha blocker' and 'package manager beta blocker' tags, and then tagged the issues that are already in the issue summary or other ones I could think of. If the tags are inaccurate, please fix them and say why on the issue, just trying to collate things and get a better idea of what is actually left.

https://www.drupal.org/project/issues/search?issue_tags=package%20manage... →

https://www.drupal.org/project/issues/search?issue_tags=package%20manage... →

Added an item to the alpha stage to get a Usability review. It is not a block put it is a process that should start asap so we can avoid blockers later.

I also would like to know about the status of the other gates that are not mentioned in the issue summary, Accessibility, Documentation, Fronted and Performance.

If no one objects, can the long list of Completed be removed? I just find it distracting.

alexpott → credited longwave → .

After discussion with @xjm, @catch, @longwave and @lauriii, we decided that in order to allow beta testing without the modules being hidden, we can use the dev/prod toggle as outlined in ✨ Add a Production/Development Toggle To Core Needs work .

The list of completed issues in the IS makes this page very difficult to load and manage, so removing it from the IS. Sorry. :)

Opened 📌 Restrict package_manager (and update_manager) behind a dev/prod toggle Active .

I think that is blocking either beta, or 'alpha but in a tagged release' if I remember the Barcelona discussion correctly.

Added it to alpha blockers, which at the moment IMO means 'blocking package_manager being alpha in the 11.0.x branch'..

Opened 📌 Prepare for package_manager in core Active , probably not a stable blocker as such but we need to know what happens and have some kind of mitigation if it's bad. This is especially going to be the case assuming Drupal CMS increases the usage of contrib automatic_updates from it's current c. 1,000 installs to a lot more than that.