Update composer.json in order to allow development versions instead to set "minimum-stability"
#504
Conversation
| "behat/mink-selenium2-driver": "^1.3@dev", | ||
| "friendsofphp/php-cs-fixer": "^2.15", | ||
| "phpunit/phpunit": "^6.5", | ||
| "webflo/drupal-core-require-dev": "^8.7" |
There was a problem hiding this comment.
All the above are what webflo/drupal-core-require-dev already does.. Please don't do this.
There was a problem hiding this comment.
The whitelist is required in order to avoid unintended burden of the stability with dangerous dev dependencies, so a more narrow decision is to allow explicitly the non stable packages using stability flags.
| for your setup. | ||
|
|
||
| After that you can create the project: | ||
|
|
||
| ``` | ||
| composer create-project drupal-composer/drupal-project:8.x-dev some-dir --no-interaction | ||
| composer create-project drupal-composer/drupal-project:^8.0@dev some-dir --no-interaction |
There was a problem hiding this comment.
Please revert. It's correct as it is. There is no 8.0 of this project.. There's only 8.x.
There was a problem hiding this comment.
8.0 doesn't exist really, it's the implicit SemVer branch alias which points to 8.x-dev.
phansys
force-pushed
the
dependencies_stability
branch
from
de9a234 to
04b4dea
Compare
|
For those who felt confused about the motivation for these changes, I've added a more detailed example trying to explain how composer works and what my concerns are. Thank you in advance for your feedback. |
phansys
force-pushed
the
dependencies_stability
branch
2 times, most recently
from
c9ed2c4 to
f829c55
Compare
|
IMHO, #512 is a good example of what happen when a package trust on an unstable dependency, and it gets even worse when that dependency is allowed blindly, like in this case. |
phansys
force-pushed
the
dependencies_stability
branch
from
f829c55 to
8a7e11c
Compare
…tead to set "minimum-stability"
phansys
force-pushed
the
dependencies_stability
branch
from
8a7e11c to
531a028
Compare
|
This pull request/issue has been inactive for over a year and is being closed due to inactivity. If the issue still persists or the contribution is still relevant, please feel free to reopen it or create a new one. Thank you for your understanding and your contributions to the project! |
leymannx
changed the title
composer.json in order to whitelist development versions instead to set "minimum-stability"composer.json in order to allow development versions instead to set "minimum-stability"
Update
composer.jsonin order to whitelist (with stability flags) development versions instead to set "minimum-stability".The problem with the current setup (using "dev" as "minimum-stability"):
my-projectrequirespackage-A:^2.0, which has a stable release;composer updatepackage-Ais resolved to their last available 2 major (stable) version, let's say2.7.4;package-Arequirespackage-B:^1.0, which has a stable release;package-Bis resolved to their last available 1 major (stable) version, let's say1.0.0;Until here, everything should be fine, since
my-projectknows that all the installed packages are stable. Let's see the following:2.7.5thepackage-Adecides to change their requirement frompackage-B:^1.0topackage-B:2.0-dev, which is not a stable release;composer updatepackage-Ais resolved to their last available 2 major (stable) version (2.7.5);package-Bis resolved to their last available 2 major (unstable) version (2.0-dev);At this point, the users which own the responsibility under
my-projectwere installed silently an unstable version of a package which can potentially break some existing feature or behavior in their project.With the proposed changes, if the users want to use the
2.7.5version frompackage-A, they will be restricted to install the unstable version from packagepackage-B, at least if they decide under their own risk and responsibility to trust on that package, whitelisting it until a stable release will be available from what is required frompackage-A.