- Issue created by @phenaproxima
- π¬π§United Kingdom catch
So if I'm reading correctly this would be adding a direct-write mode when a flag is set, but only for project browser. The idea being you can composer require new dependencies and the simple act of doing so won't blow up your site, whereas update might.
Overall that sounds great I think.
Is there any situation where indirect dependencies might be updated as part of a composer require or does composer always just complain in that case?
- πΊπΈUnited States phenaproxima Massachusetts
Is there any situation where indirect dependencies might be updated as part of a composer require or does composer always just complain in that case?
Yes, Composer might update indirect dependencies as part of a require, depending on what the dependency solver spits out. So there is an element of risk to this, but I would say that:
- This is why the direct-write mode would be accessible only to developers.
- Project Browser could take steps to prevent indirect dependencies from being updated (Composer now accepts a
--minimal-changesoption, which tries to minimize changes to indirect dependencies; Package Manager could be changed to ensure that Project Browser can pass this option, or maybe Package Manager could just always pass the option regardless). - If packages are properly respecting semantic versioning, and using sensible constraints for their own dependencies, then the risk is probably low enough to not be of concern to the non-technical user.
- π¬π§United Kingdom catch
If packages are properly respecting semantic versioning, and using sensible constraints for their own dependencies (which is true for core, and probably widely true enough for contrib),
At least two fairly high usage contrib modules, maintained by different people, incremented hook_update_last_removed() in patch releases in the past month or so, preventing updates from e.g. 1.1.1 to 1.1.3.) Just the most recent example I can think of where a patch release led to a site that could not be updated.
--mininal sounds great to avoid this though.
Would it be possible to run --dry-run and detect if it includes updates? Would be annoyingly slow though, but maybe only when this mode is on?
- πΊπΈUnited States phenaproxima Massachusetts
Would it be possible to run --dry-run and detect if it includes updates? Would be annoyingly slow though, but maybe only when this mode is on?
Unfortunately,
composer updatedoesn't give us any machine-readable output, with or without the--dry-runflag. The only way to detect what will happen, is to use the sandbox.So as I said, there's some risk involved here, which is why direct-write wouldn't be enabled by default. I think it also makes sense for Package Manager to always pass the
--minimal-changesflag to Composer to minimize the possibility of breaking changes being introduced (regardless of whether direct-write is enabled), but we should probably do that in a separate, blocking issue.The reason Package Manager doesn't pass
--minimal-changesis because I don't think it even existed when we were writing Package Manager. It was only introduced in Composer 2.7.0 (see https://getcomposer.org/changelog/2.7.0).