- Issue created by @yash.rode
- @yashrode opened merge request.
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
$ composer --version Composer version 2.5.2 2023-02-04 14:33:22 $ php -v PHP 8.1.13 (cli) (built: Dec 7 2022 23:32:13) (NTS) Copyright (c) The PHP Group Zend Engine v4.1.13, Copyright (c) Zend Technologies with Zend OPcache v8.1.13, Copyright (c), by Zend Technologies
and
.......... 10 / 10 (100%) Time: 00:20.813, Memory: 10.00 MB OK (10 tests, 48 assertions)
โ 2.5.2 is fine.
- Assigned to yash.rode
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
Other reason to support this is https://endoflife.date/composer
โ Can you please find the official source and link that instead?
Looking forward to reading your proposed resolution! ๐ค And that should help you specify a better title too ๐
- Assigned to tedbow
- Status changed to Needs review
almost 2 years ago 4:19pm 23 February 2023 - ๐บ๐ธUnited States tedbow Ithaca, NY, USA
I am sure we need to do this for the reason stated.
Change composer constraint to supported version for tests to pass.
We should support , supported versions of the composer but I don't think that is the only reason those tests are failing.
It looks like we were adding an invalid package. Maybe 1 composer version is more strict on the checks
I think ๐ Run `composer validate` after FixtureManipulator commits its changes Fixed will help with this because I have found it turns up errors like this that we were missing.
Also yash when you create an issue unless it is something we definitely should not work on now please add the
sprint
tag as I am am almost always filtering by this, thanks - Issue was unassigned.
- ๐บ๐ธUnited States tedbow Ithaca, NY, USA
the current fix in the MR probably belongs in ๐ Run `composer validate` after FixtureManipulator commits its changes Fixed
- ๐ฎ๐ณIndia yash.rode pune
Hi @wim.leers I am unable to find the official documentation for https://endoflife.date/composer. Removed test fix as it is going to be fixed in ๐ Run `composer validate` after FixtureManipulator commits its changes Fixed . @tedbow wants to discuss with you, if we want to remove support for composer 2.2 version.
- Assigned to yash.rode
- Status changed to Needs work
almost 2 years ago 9:49am 24 February 2023 - ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
Wow, that is indeed surprisingly hard to find!
Best sources I could find:
- https://blog.packagist.com/composer-2-2/
- https://github.com/endoflife-date/endoflife.date/commit/c8ee80ba5c7fbf33...But โฆ yeah โฆ perhaps https://endoflife.date/composer is then the only choice to link to ๐
It makes sense that we want to discuss dropping 2.2 support, but dropping 2.3 support in favor of a newer version @tedbow is fine with. So marking for that.
Also, why are you proposing to require only 2.4.4 if that is already unsupported today? ๐ค Why not require 2.5?
- Assigned to wim leers
- Status changed to Needs review
almost 2 years ago 10:31am 24 February 2023 - ๐ฎ๐ณIndia yash.rode pune
I was thinking that the test will pass for all the versions above 2.4.4 but I am more lean towards setting the version to 2.5 and above, so made those changes in the MR (Ignored 2.2 version for the discussion).
- Issue was unassigned.
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
๐
This is now blocked on the discussion @tedbow and you mentioned!
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
But in the meantime, could you already update the title to reflect the current direction? ๐๐
- Assigned to yash.rode
- Status changed to Needs work
almost 2 years ago 12:17pm 27 February 2023 - ๐บ๐ธUnited States phenaproxima Massachusetts
Wim Leers โ credited phenaproxima โ .
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
๐ Add a validate() method to ComposerInspector to ensure that Composer is usable Fixed moved the constraint to a different place. This MR needs to be updated.
@yash.rode We did discuss this on Friday. In the future, please update the issue accordingly if I didn't.
The conclusion was: support everything listed in https://endoflife.date/composer โ that means the LTS (2.2) and the current version (2.5).
- ๐ฎ๐ณIndia yash.rode pune
The test is passing on my local but failing on drupal CI.
- ๐บ๐ธUnited States phenaproxima Massachusetts
Re-titling for clarity.
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
๐ to what @phenaproxima said.
Let's also add an
@see
pointing to composer's security advisory. - ๐บ๐ธUnited States effulgentsia
Is the purpose of this issue solely to drop support for potentially insecure Composer versions, or was there something that Composer fixed in 2.2.12 and 2.5, but not in 2.3 or 2.4, and we rely on that fix? If the latter, what was that fix?
- ๐บ๐ธUnited States phenaproxima Massachusetts
We already don't support Composer 2.2.11 or earlier, because of the security fix made in 2.2.12.
We currently support 2.3.5 and up, but 2.3 and 2.4 are EOL. So this is really just about dropping support for EOLed versions of Composer. Re-titling for clarity.
- Assigned to wim leers
- Status changed to Needs review
almost 2 years ago 11:23am 28 February 2023 - Issue was unassigned.
- Status changed to RTBC
almost 2 years ago 12:27pm 28 February 2023 - ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
This still did not yet address what I asked in #21:
Let's also add an
@see
pointing to composer's security advisory.Given this is an
alpha
blocker, fixed that myself and slightly tightened test coverage for maximum confidence: now all boundaries are tested ๐ -
phenaproxima โ
committed 431d5344 on 3.0.x authored by
yash.rode โ
Issue #3343889 by yash.rode, Wim Leers, phenaproxima, tedbow: Drop...
-
phenaproxima โ
committed 431d5344 on 3.0.x authored by
yash.rode โ
- Status changed to Fixed
almost 2 years ago 12:56pm 28 February 2023 - ๐บ๐ธUnited States phenaproxima Massachusetts
Glad to see this done! ๐
Automatically closed - issue fixed for 2 weeks with no activity.