Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

composer.lock file don't use the overridden repositories #2622

nineinchnick opened this Issue Jan 23, 2014 · 10 comments


None yet
6 participants

Same issue as in #1252.


    "repositories": [
            "type": "vcs",
            "url": "https://github.com/pear/Numbers_Words"
    "require": {
        "php": ">=5.3.2"
        ,"pear/numbers_words": "dev-master"

After removing vendor dir contents and composer.lock and issuing composer install, composer.lock:

            "name": "pear/numbers_words",
            "version": "dev-master",
            "target-dir": "Pear/NumbersWordsBundle",
            "source": {
                "type": "git",
                "url": "https://github.com/jroszkiewicz/NumbersWordsBundle.git",
                "reference": "6f30aedc01523b58d190849a4a2cb19fe703840f"
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/jroszkiewicz/NumbersWordsBundle/zipball/6f30aedc01523b58d190849a4a2cb19fe703840f",
                "reference": "6f30aedc01523b58d190849a4a2cb19fe703840f",
                "shasum": ""
            "type": "library",
            "autoload": {
                "psr-0": {
                    "Pear\\NumbersWordsBundle": "",
                    "Numbers_Words": ""
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "PHP License 3.01"
            "authors": [
                    "name": "Daniel O'Connor",
                    "email": "daniel.oconnor@gmail.com",
                    "role": "Pear Developer"
                    "name": "Jakub Roszkiewicz",
                    "email": "j.roszkiewicz@vaka.pl",
                    "role": "Developer"
            "description": "Translating numbers to words",
            "homepage": "https://github.com/pear/Numbers_Words",
            "keywords": [
            "time": "2013-06-17 15:30:13"

stof commented Jan 23, 2014

This is probably because dev-master is newer in the https://github.com/jroszkiewicz/NumbersWordsBundle.git repo than in https://github.com/pear/Numbers_Words

How this can be resolved?

Do you control https://github.com/pear/Numbers_Words ? Try creating a custom branch and requiring it.

If not, try locking to a specific commit using dev-master#thecommitshasum

I don't control that repo. I posted an issue at the other one so the author would fix packagist packages.

I don't want to lock into a specific commit. Even if it'd work it's not an acceptable long term solution. Currently I use that package as pear type but you know the drawbacks.

@naderman naderman added the Support label Feb 5, 2014

@naderman naderman closed this Feb 5, 2014

Why this has been closed?


naderman commented Feb 5, 2014

Because it's an issue with the two packages not with composer itself?

No, the packages are just an example for a situation when you can't override a repository with a custom one, when the commits in the custom one are older.

In this particular example the vendor/package on packagist was taken over and configured incorrectly. I couldn't fix it by specifying the right repo url.

@naderman naderman reopened this Feb 5, 2014

@naderman naderman removed the Support label Feb 5, 2014

lavoiesl commented Feb 5, 2014

I agree with @nineinchnick. While the package is badly configured, it should be possible to override the repository for a package.

@Seldaek Seldaek added this to the Bugs milestone Feb 13, 2014

@Seldaek Seldaek added the Bug label Feb 13, 2014

What we want to do is:

The case we are seeing right now is

  "require" : [
    "zendframework/zend-mvc": "2.2.*",
    "zendframework/zend-http": "2.2.5",
    "zendframework/zend-view": "2.2.*",
    "zendframework/zend-stdlib": "2.2.*",
  "repositories": [
      "type": "vcs",
      "url": "http://github.internal/ExternalComponents/zend-http.git"

Where our ExternalComponents/zend-http.git repository is a clone of the zendframework/Component_ZendHttp repository (without importing tags/branches).
We then have have tagged stable releases with our changes for 2.2.3, 2.2.4, and 2.2.5.
And active development branches patch-2.2.3, patch-2.2.4, patch-2.2.5, patch 2.2.6

However, no matter what we try, we cannot get composer to use that repository for the one component, it always resolves to the packagist stable zendframework/zend-http 2.2.5.

The zend-http composer.json is copied verbatim: relevant portions below:

    "name": "zendframework/zend-http",
    "require": {
        "zendframework/zend-loader": "self.version",
        "zendframework/zend-stdlib": "self.version",
        "zendframework/zend-uri": "self.version",
        "zendframework/zend-validator": "self.version"

During resolution

Reading composer.json of zendframework/zend-http (patch-2.2.5)
Importing tag 2.2.5 (
Reading composer.json of zendframework/zend-http (master)
Importing branch master (dev-master)
Reading composer.json of zendframework/zend-http (patch-2.2.5)
Importing branch release-2.2.5 (dev-patch-2.2.5)

Implying composer at least does read in the fact that we have
Stable: 2.2.5
Dev: dev-master, dev-patch-2.2.5

We don't have local forks of zend-loader, zend-stdlib, zend-uri, etc and down the chain, so referring to dev-patch-2.2.5 won't work for several reasons:

  1. We want to lock to the specific stable version, not to latest commit.;
  2. Composer complains "unable to find package zend-loader version dev-patch-2.2.5" which rightly doesn't exist.

referring to a specific commit gives same issue as 2.

    "zendframework/zend-http": "dev-patch-2.2.5#df4f58680d4c79bbd6c1f43c56b805cb821a1e1d",
  - Installation request for zendframework/zend-http dev-patch-2.2.5#df4f58680d4c79bbd6c1f43c56b805cb821a1e1d -> satisfiable by zendframework/zend-http[dev-patch-2.2.5].
  - zendframework/zend-http dev-patch-2.2.5 requires zendframework/zend-loader dev-patch-2.2.5 -> no matching package found.

Trying an explicit alias

 "zendframework/zend-http": "dev-patch-2.2.5 as 2.2.5",

also gives the "zend-loader version dev-patch-2.2.5 which rightly doesn't exist." issue.

What we don't want to do is end up having to clone all the independent features into our repository as zend compents will chain. our explicit use of 4 zf2 components, 2 internal libraries, and 1 third party library, expands out to installing 30 zendframework components.

But it's starting to look like there isn't any means of overriding a single component in this case with a local copy in the slightest.


naderman commented Feb 28, 2014

@icywolfy That sounds like an entirely unrelated bug in repository prioritisation, can you open a separate ticket for that?

Also please note that you will have to adapt composer.json if you want different versions than "dev-foo" as dependencies: https://github.com/zendframework/zf2/blob/master/library/Zend/Http/composer.json#L15

@Seldaek Seldaek modified the milestone: 2.0, Bugs Apr 15, 2016

@Seldaek Seldaek added the Solver label Apr 15, 2016

@naderman naderman was assigned by Seldaek Apr 15, 2016

@BR0kEN- BR0kEN- referenced this issue in cosenary/Instagram-PHP-API Sep 17, 2016


Instagram Platform Update #182

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment