Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

phpPackages.composer: 2.6.6 -> 2.7.1 #288574

Merged
merged 3 commits into from
Mar 5, 2024
Merged

phpPackages.composer: 2.6.6 -> 2.7.1 #288574

merged 3 commits into from
Mar 5, 2024

Conversation

drupol
Copy link
Contributor

@drupol drupol commented Feb 13, 2024
edited
Loading

Diff: https://github.com/composer/composer/compare/2.6.6..2.7.1
Changelog: https://github.com/composer/composer/releases/tag/2.7.1

Encountering issues with the Composer plugin (https://github.com/nix-community/composer-local-repo-plugin, version 1.0.3) while using Composer 2.7, I opened an issue at composer/composer#11850. Today, I had a meeting with @Seldaek, he proposed a better idea for the plugin's functionality. Rather than generating a packages.json file, the suggestion was to create an updated composer.lock file.

And indeed, this approach has proven to be highly effective, streamlining the Composer builder's process and enhancing its comprehensibility.

Description of changes

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 馃憤 reaction to pull requests you find important.

@drupol drupol marked this pull request as ready for review February 13, 2024 14:36
@drupol drupol marked this pull request as draft February 13, 2024 16:05
@drupol
Copy link
Contributor Author

drupol commented Feb 13, 2024

@ofborg build phpPackages.composer

LeSuisse added a commit to LeSuisse/nixpkgs that referenced this pull request Feb 14, 2024
@LeSuisse
phpPackages.composer: apply patch for CVE-2024-24821
2ed28e8 
Upgrade to the 2.7.x branch needs some work (see NixOS#288574), let's patch
the security issue in the meantime.
@LeSuisse LeSuisse mentioned this pull request Feb 14, 2024
Merged
13 tasks
github-actions bot pushed a commit that referenced this pull request Feb 14, 2024
@LeSuisse @github-actions
phpPackages.composer: apply patch for CVE-2024-24821
4f3f261 
Upgrade to the 2.7.x branch needs some work (see #288574), let's patch
the security issue in the meantime.

(cherry picked from commit 2ed28e8)
qubitnano pushed a commit to qubitnano/nixpkgs that referenced this pull request Feb 15, 2024
@LeSuisse @qubitnano
phpPackages.composer: apply patch for CVE-2024-24821
ed52a13 
Upgrade to the 2.7.x branch needs some work (see NixOS#288574), let's patch
the security issue in the meantime.
@drupol drupol changed the title phpPackages.composer: 2.6.6 -> 2.7.1 phpPackages.composer: 2.6.6 -> 2.7.2 Feb 23, 2024
@LeSuisse
Copy link
Contributor

LeSuisse commented Mar 1, 2024

Removing the security flag on this one since we patched the security issue in #288858

@drupol drupol changed the title phpPackages.composer: 2.6.6 -> 2.7.2 phpPackages.composer: 2.6.6 -> 2.7.1 Mar 5, 2024
@drupol drupol marked this pull request as ready for review March 5, 2024 12:33
@drupol
Copy link
Contributor Author

drupol commented Mar 5, 2024

@ofborg build phpPackages.composer phpPackages.psalm phpunit

(just to show that there's no need to update derivation hashes)

LeSuisse
LeSuisse reviewed Mar 5, 2024
View reviewed changes
Copy link
Contributor

@LeSuisse LeSuisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to break snipe-it, the composer validate does not succeed (it is fine on master).

Executing composerInstallCheckHook
./composer.json is valid but your composer.lock has some errors
# Lock file errors
- The lock file is not up to date with the latest changes in composer.json, it is recommended that you run `composer update` or `composer update <package name>`.

ERROR: composer files validation failed

The validation of the composer.json and composer.lock failed.
Make sure that the file composer.lock is consistent with composer.json.

Result of nixpkgs-review pr 288574 run on x86_64-linux 1

1 package failed to build:
  • snipe-it
61 packages built:
  • adminer
  • bookstack
  • composer-require-checker
  • librenms
  • movim
  • n98-magerun
  • n98-magerun2
  • paratest
  • pdepend
  • pest
  • phel
  • php81Packages.box (php82Packages.box ,php83Packages.box)
  • php81Packages.castor
  • php81Packages.composer
  • php81Packages.deployer
  • php81Packages.grumphp
  • php81Packages.phan
  • php81Packages.phing
  • php81Packages.phive
  • php81Packages.php-codesniffer
  • php81Packages.php-cs-fixer
  • php81Packages.php-parallel-lint
  • php81Packages.phpmd
  • php81Packages.phpstan
  • php81Packages.psalm
  • php81Packages.psysh
  • php82Packages.castor
  • php82Packages.composer
  • php82Packages.deployer
  • php82Packages.grumphp
  • php82Packages.phan
  • php82Packages.phing
  • php82Packages.phive
  • php82Packages.php-codesniffer
  • php82Packages.php-cs-fixer
  • php82Packages.php-parallel-lint
  • php82Packages.phpmd
  • php82Packages.phpstan
  • php82Packages.psalm
  • php82Packages.psysh
  • php83Packages.castor
  • php83Packages.composer
  • php83Packages.deployer
  • php83Packages.grumphp
  • php83Packages.phan
  • php83Packages.phing
  • php83Packages.phive
  • php83Packages.php-codesniffer
  • php83Packages.php-cs-fixer
  • php83Packages.php-parallel-lint
  • php83Packages.phpmd
  • php83Packages.phpstan
  • php83Packages.psalm
  • php83Packages.psysh
  • phpactor
  • phpdocumentor
  • phpunit
  • pixelfed
  • platformsh
  • robo
  • vimPlugins.phpactor

@drupol
Copy link
Contributor Author

drupol commented Mar 5, 2024

@ofborg build phpPackages.psalm phpunit snipe-it

LeSuisse
LeSuisse approved these changes Mar 5, 2024
View reviewed changes
Copy link
Contributor

@LeSuisse LeSuisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, waiting on CI checks before merging just in case.

Result of nixpkgs-review pr 288574 run on x86_64-linux 1

62 packages built:
  • adminer
  • bookstack
  • composer-require-checker
  • librenms
  • movim
  • n98-magerun
  • n98-magerun2
  • paratest
  • pdepend
  • pest
  • phel
  • php81Packages.box (php82Packages.box ,php83Packages.box)
  • php81Packages.castor
  • php81Packages.composer
  • php81Packages.deployer
  • php81Packages.grumphp
  • php81Packages.phan
  • php81Packages.phing
  • php81Packages.phive
  • php81Packages.php-codesniffer
  • php81Packages.php-cs-fixer
  • php81Packages.php-parallel-lint
  • php81Packages.phpmd
  • php81Packages.phpstan
  • php81Packages.psalm
  • php81Packages.psysh
  • php82Packages.castor
  • php82Packages.composer
  • php82Packages.deployer
  • php82Packages.grumphp
  • php82Packages.phan
  • php82Packages.phing
  • php82Packages.phive
  • php82Packages.php-codesniffer
  • php82Packages.php-cs-fixer
  • php82Packages.php-parallel-lint
  • php82Packages.phpmd
  • php82Packages.phpstan
  • php82Packages.psalm
  • php82Packages.psysh
  • php83Packages.castor
  • php83Packages.composer
  • php83Packages.deployer
  • php83Packages.grumphp
  • php83Packages.phan
  • php83Packages.phing
  • php83Packages.phive
  • php83Packages.php-codesniffer
  • php83Packages.php-cs-fixer
  • php83Packages.php-parallel-lint
  • php83Packages.phpmd
  • php83Packages.phpstan
  • php83Packages.psalm
  • php83Packages.psysh
  • phpactor
  • phpdocumentor
  • phpunit
  • pixelfed
  • platformsh
  • robo
  • snipe-it
  • vimPlugins.phpactor

@LeSuisse LeSuisse merged commit 6dc8cbe into NixOS:master Mar 5, 2024
22 of 23 checks passed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 5, 2024

Backport failed for release-23.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-23.11
git worktree add -d .worktree/backport-288574-to-release-23.11 origin/release-23.11
cd .worktree/backport-288574-to-release-23.11
git switch --create backport-288574-to-release-23.11
git cherry-pick -x 39502e7aa718377973117333caeafa38f5108ae8 cf9e77ef8e6c7b903c7dd5b37d3753c65b3c6a13 bc627a6acad591f05e8b879a9388137859e10855

@drupol drupol deleted the php/composer/bump/2-7-1 branch March 5, 2024 19:41
@drupol drupol mentioned this pull request Mar 5, 2024
Merged
13 tasks
Seldaek
Seldaek reviewed Mar 5, 2024
View reviewed changes
pkgs/build-support/php/hooks/php-script-utils.bash
echo -e '\e[33mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
echo
echo -e '\e[33mThis check is not blocking, but it is recommended to fix the issue.\e[0m'
echo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO a better way would be to run composer validate, and if it fails run it again with --no-check-lock and if that passes then you know for sure the error was the lock file outdated, and you can output this msg. If it's not that then I'd probably fail hard.

Because there are many other reasons this could fail, and the messages above only suggest it is about the lock file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

What do you think about this new PR?

#293582

@drupol drupol mentioned this pull request Mar 5, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Seldaek Seldaek Seldaek left review comments

@LeSuisse LeSuisse LeSuisse approved these changes

@patka-123 patka-123 patka-123 approved these changes

@aanderse aanderse Awaiting requested review from aanderse aanderse is a code owner

@etu etu Awaiting requested review from etu

@globin globin Awaiting requested review from globin globin is a code owner

@Ma27 Ma27 Awaiting requested review from Ma27 Ma27 is a code owner

@talyz talyz Awaiting requested review from talyz talyz is a code owner

Assignees
No one assigned
Labels
10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@drupol @LeSuisse @Seldaek @patka-123