Contrib.social

Package Manager should use a copy of Composer that is local to the current project, if available

Open on Drupal.org β†’
Created on 3 June 2025, about 2 months ago

Problem/Motivation

Package Manager needs to be able to run Composer in order to work properly.

It will try to autodetect the path to Composer at runtime, but if that fails, it will allow the site builder to explicitly set the path to Composer (in config). If the hosting environment has a too-old version of Composer, though, that won't be sufficient either.

A project can have a copy of Composer that is local to itself (e.g., vendor/bin/composer) to get around that, of course. But it would be helpful, and reduce friction, if Package Manager would automatically detect this condition and configure itself accordingly.

Proposed resolution

If and only if composer/composer is installed in the current project, and is not a dev dependency, Package Manager's install hook should set its executable path in package_manager.settings during installation.

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component

package_manager.module

Created by

πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @phenaproxima
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts
  • Merge request !12302Resolve #3528139 "Use local composer" β†’ (Closed) created by phenaproxima
  • Pipeline finished with Success
    about 2 months ago
    Total: 426s
    #513298
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Reviewable, but not ready quite yet since tests are needed.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    I can't easily write a test for this, because although composer/composer is a dev dependency of core, vendor/bin/composer doesn't exist because it's cleaned up by the vendor hardening plugin, which has no way to prevent a package from being cleaned up. This also means that end users can't take advantage of this improvement if they have the vendor hardening plugin at all.

    Not sure how to proceed. Should I change our build tests to confirm that this works? Should we file a blocking issue to allow the vendor hardening plugin to skip certain packages if configured to do so?

  • Comment 23 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    An update here -- if we can get ✨ Add a directory to the PATH Active in, this becomes much more viable, and would immediately improve things for Drupal CMS users -- if Composer installed and vendor/composer/composer/bin/composer exists, Package Manager would point to that.

    The vendor hardening plugin would still be an obstacle for some sites -- although Drupal CMS does not currently use it -- but my idea there is to change it to not delete Composer's binaries outright, but rather just chmod them to 655 so that they cannot be executed directly. Then Composer simply becomes another PHP script run by the PHP interpreter, rather than something that can be invoked as its own process. All that would need to happen in a separate issue, though.

    Postponing on the related issue.

  • Comment 23 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts
  • Pipeline finished with Success
    23 days ago
    Total: 609s
    #539556
  • Comment 19 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Blocker landed!

  • Comment 19 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Figured out how to write a unit test (a rare case where reflection is the way to go). This is reviewable!

  • Pipeline finished with Failed
    19 days ago
    Total: 186s
    #542497
  • Pipeline finished with Success
    19 days ago
    Total: 1166s
    #542506
  • Comment 17 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States tim.plunkett Philadelphia

    Reviewed this with @phenaproxima and everything makes sense. Test coverage looks good.

  • Comment 17 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    One comment on the MR.

  • Comment 16 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Easy enough. Since this was such a simple change with no logic implications, tentatively restoring Tim's prior RTBC.

  • Pipeline finished with Success
    16 days ago
    #545027
  • Pipeline finished with Failed
    16 days ago
    #545049
  • Pipeline finished with Running
    16 days ago
    #545103
  • Comment 16 days ago β†’
    System Message
    • catch β†’ committed 52758cae on 11.2.x 
      Issue #3528139 by phenaproxima, tim.plunkett, catch: Package Manager...
  • Comment 16 days ago β†’
    System Message
    • catch β†’ committed 42209999 on 11.x 
      Issue #3528139 by phenaproxima, tim.plunkett, catch: Package Manager...
  • Comment 16 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    Noticed one more thing - the static variable was unnecessary, @phenaproxima moved it to a normal property. We could maybe have done a separate method for testing instead but it's 50/50 so not worth further changes.

    Committed/pushed to 11.x and cherry-picked to 11.2.x, thanks!

  • Comment 16 days ago β†’
    System Message
  • Pipeline finished with Success
    16 days ago
    #545135
  • Comment 2 days ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024