Composer create-project doesn't check platform requirements

[joachim-n]

My composer.json:

...replace me...

Output of composer diagnose:

Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK git version 2.42.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.6.5
PHP version: 8.2.0
PHP binary path: /Applications/MAMP/bin/php/php8.2.0/bin/php
OpenSSL version: OpenSSL 1.0.2u  20 Dec 2019
cURL version: 7.68.0 libz 1.2.11 ssl OpenSSL/1.0.2u
zip: extension present, unzip present, 7-Zip not available

When I run this command on PHP 8.2:

composer create drupal/recommended-project composer-bug-repro 9.5

everything installs as expected. However, subsequent composer commands complain. E.g doing:

composer require drush/drush:*

outputs:

    - laminas/laminas-diactoros 2.14.0 requires php ^7.3 || ~8.0.0 || ~8.1.0 -> your php version (8.2.0) does not satisfy that requirement.

Checking this package:

composer why laminas/laminas-diactoros
drupal/core             9.5.0 requires laminas/laminas-diactoros (^2.14)
drupal/core-recommended 9.5.0 requires laminas/laminas-diactoros (~2.14.0)

Shows that it was installed as part of the original create-project.

And I expected this to happen:

Don't install the project in the first place if a package won't work on the platform.

[xabbuh]

The composer.lock file of that project contains this:

    "platform-overrides": {
        "php": "7.3.0"
    },

Could that be the root issue?

[stof]

This would indeed explain why the create-project command would not complain about PHP 8.2

[joachim-n]

What is there in the drupal/recommended-project template which would have resulted in that in composer.lock?

[fredden]

What is there in the drupal/recommended-project template which would have resulted in that in composer.lock?

It looks like it's in the composer.lock file in the repository itself. https://github.com/drupal/recommended-project/blob/9.5.11/composer.lock#L4759-L4761

Running composer update in the project works, and removes that entry from composer.lock.

[Seldaek]

Right, I'm guessing whatever builds the release sets composer config platform.php 7.3.0 to ensure locked dependencies match that minimum PHP requirement. But then it's not added to the committed composer.json.

I'm not sure what to do about this.. If the composer.json does not have the overrides anymore we probably could warn when running an install, just not sure how much work this would be.

Really the best way would be to avoid shipping a lock file IMO and let dependency resolution happen at create-project time.