composer require doesn't respect prefer-stable

[Anahkiasen]

Maybe it's just me not getting how it should work but granted the following configuration:

{
  "minimum-stability": "dev",
  "prefer-stable": true
}

I'd expect composer require to pick stable packages, instead I get @dev versions, is this expected behavior?

[zanbaldwin]

Can you provide an example of a package (and the version string you set) that downloads as dev instead of stable?

[Anahkiasen]

It does that with any package, not one in particular. Fairly easy to reproduce:

$ composer --version
Composer version 1.0-dev (a67eaf04c7eee3d10d7c64f3eef47995ec150ffe) 2015-07-30 12:14:55

$ echo '{}' > composer.json
$ composer require madewithlove/elasticsearcher
Using version ^0.2.2 for madewithlove/elasticsearcher
./composer.json has been updated

$ echo '{"minimum-stability": "stable", "prefer-stable": true}' > composer.json
$ composer require madewithlove/elasticsearcher
Using version ^0.2.2 for madewithlove/elasticsearcher
./composer.json has been updated

$ echo '{}' > composer.json
$ echo '{"minimum-stability": "dev", "prefer-stable": true}' > composer.json
$ composer require madewithlove/elasticsearcher
Using version ^0.2.0@dev for madewithlove/elasticsearcher
./composer.json has been updated

[naderman]

What you see there are the generated version constraints for the require, the actually installed packages based on those constraints should be exactly what you expect. Please check which versions you actually got installed. I suspect this works exactly as it should.

[Anahkiasen]

Nope it really requires the dev version:

$ echo '{"minimum-stability": "dev", "prefer-stable": true}' > composer.json
$ composer require phpunit/phpunit
Using version ^5.0@dev for phpunit/phpunit
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)

  [...]

  - Installing phpunit/phpunit (dev-master e78d394)
    Cloning e78d39417dd724f4789ec0518e5b1c6d85293e6e

Writing lock file
Generating autoload files

$ cat composer.json
{"minimum-stability": "dev", "prefer-stable": true,
    "require": {
        "phpunit/phpunit": "^5.0@dev"
    }
}

$ phpunit --version
PHPUnit 5.0-ge78d394 by Sebastian Bergmann and contributors.

[alcohol]

That is because there is no stable 5.x release yet of phpunit.
On Jul 31, 2015 1:51 PM, "Maxime Fabre" notifications@github.com wrote:

Nope it really requires the dev version:

$ echo '{"minimum-stability": "dev", "prefer-stable": true}' > composer.json
$ composer require phpunit/phpunit
Using version ^5.0@dev for phpunit/phpunit
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)

[...]

• Installing phpunit/phpunit (dev-master e78d394)
  Cloning e78d39417dd724f4789ec0518e5b1c6d85293e6e

Writing lock file
Generating autoload files

$ cat composer.json
{"minimum-stability": "dev", "prefer-stable": true,
"require": {
"phpunit/phpunit": "^5.0@dev"
}
}

$ phpunit --version
PHPUnit 5.0-ge78d394 by Sebastian Bergmann and contributors.

—
Reply to this email directly or view it on GitHub
#4318 (comment).

[alcohol]

I think the require command creates a constraint based on the very latest
version it can find. This part does not yet take into account
prefer-stable.
On Jul 31, 2015 1:54 PM, "Rob" rob.bast@gmail.com wrote:

That is because there is no stable 5.x release yet of phpunit.
On Jul 31, 2015 1:51 PM, "Maxime Fabre" notifications@github.com wrote:

Nope it really requires the dev version:

$ echo '{"minimum-stability": "dev", "prefer-stable": true}' > composer.json
$ composer require phpunit/phpunit
Using version ^5.0@dev for phpunit/phpunit
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)

[...]

• Installing phpunit/phpunit (dev-master e78d394)
  Cloning e78d39417dd724f4789ec0518e5b1c6d85293e6e

Writing lock file
Generating autoload files

$ cat composer.json
{"minimum-stability": "dev", "prefer-stable": true,
"require": {
"phpunit/phpunit": "^5.0@dev"
}
}

$ phpunit --version
PHPUnit 5.0-ge78d394 by Sebastian Bergmann and contributors.

—
Reply to this email directly or view it on GitHub
#4318 (comment)
.

[Anahkiasen]

As I said it might just be me not getting how it should work, the docs says:

When this is enabled, Composer will prefer more stable packages over unstable ones when finding compatible stable packages is possible

So to me, as I didn't say I wanted phpunit 5.x, prefer stable should require 4.7.7. My use case is that I want all my packages to be stable, but in this case I need minimum-stability: dev for one package that has a bugfix on master not yet tagged.

[alcohol]

Then you should really just include that one particular package for now using:

"require": { "vendor/package": "dev-master" }

Now to elaborate again (based on your phpunit example); when you use the require command, it first attempts to figure out what constraint to use for this requirement. This only looks at minimum-stability. See:
https://github.com/composer/composer/blob/master/src/Composer/Command/InitCommand.php#L594

The prefer-stable flag only comes into play once it starts trying to resolve this new requirement, which is the next step in the process. However, for the version it found in the previous step, there is no stable release yet, so it will go with the dev version (until a stable release is made).

Does that make sense?

[Seldaek]

@alcohol I think that explains the current process very well, but still when picking the preferred version to build the constraint from we should ideally take into account prefer-stable and not take the absolute highest value.

I'd argue we should probably assume prefer-stable true no matter what actually, because it's never really a good thing to install an unstable version unless people willingly ask for it, or there is no stable version at all to pick from.

And ideally we should also make sure it doesn't require a version that can't be installed at all with the current constraints, but that might be difficult to check for, not sure.

[Anahkiasen]

I'd argue we should probably assume prefer-stable true no matter what actually, because it's never really a good thing to install an unstable version unless people willingly ask for it, or there is no stable version at all to pick from.

I think that would make more sense indeed, I rarely ever want an unstable package, and when I do it's because I know I need a bugfix or something and said package doesn't have any branch alias, so I know what constraint I want anyway.

[ryanaslett]

Dang. 507415e made it so that I cant set prefer-stable to false and have it grab the latest dev without having to specify it.

[alcohol]

@ryanaslett this could be remedied by having the require and init command pass the current known prefer-stable config value to findBestCandidate.

[ryanaslett]

My use case is such a bizzare edge case that Im almost embarrassed to even describe it. I'll open a new issue and see if it makes sense to do what you suggest, or if there might be an alternative.