- Issue created by @spokje
- 🇳🇱Netherlands spokje
$ composer-lock-diff --no-links +---------------------------------+---------+---------+ | Production Changes | From | To | +---------------------------------+---------+---------+ | composer/installers | v2.2.0 | v2.3.0 | | doctrine/annotations | 1.14.3 | 1.14.4 | | guzzlehttp/guzzle | 7.8.1 | 7.9.2 | | guzzlehttp/promises | 2.0.2 | 2.0.4 | | guzzlehttp/psr7 | 2.6.2 | 2.7.0 | | mck89/peast | v1.16.2 | v1.16.3 | | symfony/console | v6.4.12 | v6.4.14 | | symfony/dependency-injection | v6.4.7 | v6.4.13 | | symfony/error-handler | v6.4.7 | v6.4.14 | | symfony/event-dispatcher | v6.4.7 | v6.4.13 | | symfony/filesystem | v6.4.12 | v6.4.13 | | symfony/finder | v6.4.11 | v6.4.13 | | symfony/http-foundation | v6.4.7 | v6.4.14 | | symfony/http-kernel | v6.4.7 | v6.4.14 | | symfony/mailer | v6.4.7 | v6.4.13 | | symfony/mime | v6.4.7 | v6.4.13 | | symfony/polyfill-iconv | v1.29.0 | v1.31.0 | | symfony/polyfill-intl-idn | v1.29.0 | v1.31.0 | | symfony/polyfill-php83 | v1.29.0 | v1.31.0 | | symfony/process | v6.4.12 | v6.4.14 | | symfony/psr-http-message-bridge | v6.4.7 | v6.4.13 | | symfony/routing | v6.4.7 | v6.4.13 | | symfony/serializer | v6.4.7 | v6.4.13 | | symfony/string | v6.4.12 | v6.4.13 | | symfony/validator | v6.4.7 | v6.4.14 | | symfony/var-dumper | v6.4.7 | v6.4.14 | | symfony/var-exporter | v6.4.7 | v6.4.13 | | symfony/yaml | v6.4.7 | v6.4.13 | +---------------------------------+---------+---------+ +------------------------------------+----------+----------+ | Dev Changes | From | To | +------------------------------------+----------+----------+ | composer/ca-bundle | 1.5.2 | 1.5.3 | | composer/composer | 2.8.1 | 2.8.2 | | drupal/coder | 8.3.24 | 8.3.25 | | google/protobuf | v3.25.3 | v4.28.3 | | lullabot/mink-selenium2-driver | v1.7.2 | v1.7.4 | | lullabot/php-webdriver | v2.0.4 | v2.0.6 | | mglaman/phpstan-drupal | 1.2.11 | 1.3.1 | | myclabs/deep-copy | 1.12.0 | 1.12.1 | | nikic/php-parser | v5.2.0 | v5.3.1 | | open-telemetry/api | 1.0.3 | 1.1.1 | | open-telemetry/context | 1.0.2 | 1.1.0 | | open-telemetry/exporter-otlp | 1.0.4 | 1.1.0 | | open-telemetry/gen-otlp-protobuf | 1.1.0 | 1.2.1 | | open-telemetry/sdk | 1.0.8 | 1.1.2 | | php-http/discovery | 1.19.4 | 1.20.0 | | php-http/httplug | 2.4.0 | 2.4.1 | | phpdocumentor/reflection-docblock | 5.4.0 | 5.5.1 | | phpdocumentor/type-resolver | 1.8.2 | 1.10.0 | | phpstan/extension-installer | 1.3.1 | 1.4.3 | | phpstan/phpdoc-parser | 1.29.0 | 1.33.0 | | phpstan/phpstan | 1.12.6 | 1.12.8 | | phpstan/phpstan-deprecation-rules | 1.2.0 | 1.2.1 | | sirbrillig/phpcs-variable-analysis | v2.11.18 | v2.11.19 | | squizlabs/php_codesniffer | 3.9.2 | 3.10.3 | | symfony/browser-kit | v6.4.7 | v6.4.13 | | symfony/css-selector | v6.4.7 | v6.4.13 | | symfony/dom-crawler | v6.4.7 | v6.4.13 | | symfony/lock | v6.4.7 | v6.4.13 | | symfony/phpunit-bridge | v6.4.7 | v6.4.13 | | symfony/polyfill-php82 | v1.29.0 | v1.31.0 | | webflo/drupal-finder | 1.3.0 | 1.3.1 | | brick/math | NEW | 0.12.1 | | nyholm/psr7-server | NEW | 1.1.0 | | ramsey/collection | NEW | 2.0.0 | | ramsey/uuid | NEW | 4.7.6 | | tbachert/spi | NEW | v1.0.2 | +------------------------------------+----------+----------+ - 🇳🇱Netherlands spokje
So
1) There are some new dev-dependencies, which is why 2 additions to the
cspelldictionary are present.
2) One of these new dev-dependencies,tbachert/spi, needs permission to be inallow-plugins.
3) We bumpedmglaman/phpstan-drupal, which made 4 suppression disappear in the baseline. Because this baseline won't pass with any version lower than1.2.12, I bumped to the version as the minimum incomposer.json - 🇳🇱Netherlands spokje
Regarding 2) from the previous comment, there are already issues openend about that: 💬 tbachert/spi requesting trusted action Active and 📌 Upgrade open-telemetry packages for PHP 8.4 Active .
- 🇳🇱Netherlands spokje
Besides
mglaman/phpstan-drupal, I see for more new dev-dependencies:1)
brick/math:$ composer why brick/math ramsey/uuid 4.7.6 requires brick/math (^0.8.8 || ^0.9 || ^0.10 || ^0.11 || ^0.12)2)
nyholm/psr7-server:$ composer why nyholm/psr7-server open-telemetry/sdk 1.1.2 requires nyholm/psr7-server (^1.1)3)
ramsey/collection:$ composer why ramsey/collection ramsey/uuid 4.7.6 requires ramsey/collection (^1.2 || ^2.0)4)
ramsey/uuid$ composer why ramsey/uuid open-telemetry/sdk 1.1.2 requires ramsey/uuid (^3.0 || ^4.0) ramsey/uuid 4.7.6 replaces rhumsaa/uuid (self.version)So every one of the five new dev-dependencies come from
open-telemetry.Do we need to document this/all of the dependencies individually/ignore this completely?
The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- 🇳🇱Netherlands spokje
Bad bot, get out!
Also: Do we want/are allowed to make the major jump to 2.x for PHPStan in the 10.x branch?
- 🇫🇷France andypost
Rebased after 📌 Upgrade open-telemetry packages for PHP 8.4 Active and updated bit more, looks ready to go
+-----------------------------------+--------+---------+ | Dev Changes | From | To | +-----------------------------------+--------+---------+ | composer/pcre | 3.3.1 | 3.3.2 | | phpdocumentor/reflection-docblock | 5.5.1 | 5.6.0 | | phpstan/phpstan | 1.12.9 | 1.12.10 | | phpstan/phpstan-phpunit | 1.4.0 | 1.4.1 | | squizlabs/php_codesniffer | 3.10.3 | 3.11.0 | +-----------------------------------+--------+---------+---------------------------------------------------------------------------+ - 🇳🇱Netherlands spokje
Thanks @andypost!
Of course this is an ongoing battle: https://github.com/symfony/symfony/releases/tag/v6.4.15
Updated MR and #4 📌 Update Composer dependencies for 10.4.0-beta1 Active
- 🇫🇷France andypost
Guzzle update is the only requirement for PHP 8.4 compatibility
Pushed bit more
+------------------------------+---------+---------+ | Production Changes | From | To | +------------------------------+---------+---------+ | symfony/console | v6.4.14 | v6.4.15 | | symfony/dependency-injection | v6.4.13 | v6.4.15 | | symfony/http-foundation | v6.4.14 | v6.4.15 | | symfony/http-kernel | v6.4.14 | v6.4.15 | | symfony/process | v6.4.14 | v6.4.15 | | symfony/serializer | v6.4.13 | v6.4.15 | | symfony/string | v6.4.13 | v6.4.15 | | symfony/validator | v6.4.14 | v6.4.15 | | symfony/var-dumper | v6.4.14 | v6.4.15 | | twig/twig | v3.14.2 | v3.15.0 | +------------------------------+---------+---------+ +---------------------------+---------+---------+ | Dev Changes | From | To | +---------------------------+---------+---------+ | composer/composer | 2.8.2 | 2.8.3 | | phpstan/phpstan | 1.12.10 | 1.12.11 | | squizlabs/php_codesniffer | 3.11.0 | 3.11.1 | +---------------------------+---------+---------+ - 🇳🇿New Zealand quietone
The requirement for documentation for dependencies recently changed. As @spokje points out keeping it up to date is a 'slight nightmare'. The information links for all dependencies do not need to be documented in the 'Current PHP dependencies' or the 'Current Javascript dependencies' pages. Only those are are "large security or API surface" need to be documented. For the rest, we can now use the data provided in the issue, using a new tag 'approved dependency evaluation'. See issues tagged "approved dependency evaluation" → .
This is explained in Dependency information links → .
