composer update strips composer.lock of package without indication or reason

[vesper8]

Below is a fresh installation of Laravel 5.6 + 1 package that is causing a weird issue

My composer.json:

{
    "name": "laravel/laravel",
    "description": "The Laravel Framework.",
    "keywords": ["framework", "laravel"],
    "license": "MIT",
    "type": "project",
    "require": {
        "php": "^7.1.3",
        "faustbrian/laravel-collectable": "dev-master",
        "fideloper/proxy": "^4.0",
        "laravel/framework": "5.6.*",
        "laravel/tinker": "^1.0"
    },
    "require-dev": {
        "filp/whoops": "^2.0",
        "fzaninotto/faker": "^1.4",
        "mockery/mockery": "^1.0",
        "nunomaduro/collision": "^2.0",
        "phpunit/phpunit": "^7.0"
    },
    "autoload": {
        "classmap": [
            "database/seeds",
            "database/factories"
        ],
        "psr-4": {
            "App\\": "app/"
        }
    },
    "autoload-dev": {
        "psr-4": {
            "Tests\\": "tests/"
        }
    },
    "extra": {
        "laravel": {
            "dont-discover": [
            ]
        }
    },
    "scripts": {
        "post-root-package-install": [
            "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
        ],
        "post-create-project-cmd": [
            "@php artisan key:generate"
        ],
        "post-autoload-dump": [
            "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
            "@php artisan package:discover"
        ]
    },
    "config": {
        "preferred-install": "dist",
        "sort-packages": true,
        "optimize-autoloader": true
    },
    "minimum-stability": "dev",
    "prefer-stable": true
}

Output of composer diagnose:

Checking composer.json: WARNING
require.faustbrian/laravel-collectable : unbound version constraints (dev-master) should be avoided
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 1.6.4
PHP version: 7.2.2
PHP binary path: /usr/local/Cellar/php72/7.2.2_13/bin/php

When I run this command:

composer install

cat composer.lock | grep faust

I get the following output:

"name": "faustbrian/laravel-collectable",
                "url": "https://github.com/faustbrian/Laravel-Collectable.git",
                "url": "https://api.github.com/repos/faustbrian/Laravel-Collectable/zipball/d2428cf750826e150d99a2dce05250e15460e669",
                    "email": "hello@brianfaust.me",
                    "homepage": "https://brianfaust.me"
                "faustbrian",
        "faustbrian/laravel-collectable": 20

Then if I run

composer update

cat composer.lock | grep faust

I expect that the above cat / grep command will still return the same results, but instead composer update actually strips the composer.lock of the package, although it doesn't mention removing it, nor should it be removing it in any case

"faustbrian/laravel-collectable": 20

Composer install of this package faustbrian/laravel-collectable:dev-master correctly installs the package, but any subsequent composer update will strip composer.lock of the package, without giving any indication that it's done so or for any valid reason that I can see

[vesper8]

The author of that package has since released a new version which takes care of my problem. I'm not sure if the problem remains reproducible if using the dev-master, but it certainly was a reproducible prior to this new release

[andreizemba]

I have the exact same problem with:

"typo3/class-alias-loader": "dev-master"

When running composer update it strips the package from composer.lock file without any notification.
I noticed it started doing this since 12th of April.

[kghbln]

I believe to have similar issues. Since version 1.6.4 seemingly arbitrary packages are being removed when running composer update even though they are required via "composer.json". Moreover no note about this is prompted. Running composer update a second time sometimes installs the previously uninstalled packages. Sometimes a trivial edit to "composer.json" is necessary to get all required packages back up. I rolled back to 1.6.3 for now. The issue does not appear on this version.

[kitsunet]

Can confirm as well. This seems to be a serious regression.

[koddistortion]

I can confirm this as well. Every second time composer 1.6.4 runs fine on our Symfony 3.4 project, but every other time a package (in our case it's gregwar/form-bundle) gets magically removed.

[kitsunet]

Current snapshot version doesn't exhibit this error btw. So apparently it is already fixed in that branch and might "just" need a release.

[kdambekalns]

Snapshot is still behaving weird, we rolled back to 1.6.3 for now. Oh, and I have the "every 2nd time it works":

[octavianparalescu]

I can confirm the behavior presented by @kdambekalns .

Temporary fix

(These steps are for the people who already have some machines to deploy to and they don't want to go through the process of rolling back composer on every machine.)

1. Roll back composer on your development machine by downloading it from here and copying it inside your project folder which contains composer.json:
   https://getcomposer.org/download/1.6.3/composer.phar
2. Run the command php composer.phar update inside your project folder so a correct composer.lock is generated on your machine.
3. Version the composer.lock file (if it's not already versioned).
4. Change the build process to use the command composer install so it uses the composer.lock file instead of composer.json when downloading packages (which is what everyone should do anyway in my humble opinion)

[kdambekalns]

Another way that can be used to downgrade for now: composer self-update 1.6.3 (might be easier to include into automation for some.)

[julienfalque]

I think I have the same issue. Running composer update removes symfony-cmf/routing-bundle (dev-master) from composer.lock. Another call will install the package again. All subsequent runs will respectively remove or install the package, despite it always appears in composer.json.

Rolling back Composer from 1.6.4 to 1.6.3 solves the issue.

[sstok]

Not sure, but could this be the cause ef7252b ?

You can clone the composer repository, remove this package, and compile. And then see if it persists.

[cameronterry]

I think I am another experiencing this issue with Composer 1.6.4 release. Every second call to composer update strips out one of the dependencies.

But I was fortunate in the sense that I had a small project just starting, so I was able to isolate it to a single library. The issue describe here is repeatable (on macOS High Sierra and a Windows 8.1 VM).

{
    "name": "cameronterry/composer-7268",
    "description": "simple test for issue 7268 for composer.",
    "type": "root",
    "authors": [
        {
            "name": "Cameron Terry",
            "email": "cameronterry@example.com"
        }
    ],
    "require": {
      "vlucas/phpdotenv": "dev-master"
    }
}

With the above, on Composer 1.6.4 the composer.lock file is deleted on every second call of the composer update command. If I downgrade to Composer 1.6.3, the issue is not present.

Not sure if this is an issue with composer or PHP Dotenv, but I hope this is helpful nonetheless.

[Toflar]

Same here, every other composer update deletes dependencies and it only happens for dev- dependencies. So ef7252b might be very well the cause for that.

[stof]

ef7252b is not part of the 1.6.4 release. It is only part of the nightly channel (the upcoming 1.7 version)

[mwjames]

ef7252b is not part of the 1.6.4 release. It is only part of the nightly channel (the upcoming 1.7 version)
If I downgrade to Composer 1.6.3, the issue is not present.

Well, then something else (1.6.3...1.6.4) has caused the regression doesn't it?

Can confirm as well. This seems to be a serious regression.

It has been 12 days since the first initial report and different users from different projects reported a similar observation so it should be evident that something has caused a regression between 1.6.3 and 1.6.4 and it would be motivating to hear from some of the developers (@naderman @Seldaek @alcohol) involved if it is likely to be fixed soon.

[alcohol]

I can confirm @cameronterry 's scenario. Will investigate a bit further.

Edit:

Observations so far;

It does not remove the dependency. This implies to me it is not a solving issue.

The lockfile is completely removed. The installed.json is also completely empty. This is cause for concern. The former should never happen, not even if all dependencies are uninstalled (AFAIK), but might be an entirely different issue by itself.

Using git bisect I've determined that 036fc44 is the culprit. @Seldaek any idea why?

[Seldaek]

@cameronterry thanks for the simple repro case.

@alcohol yeah I was pretty sure this was the culprit, just was on holidays the last couple days so wasn't able to dig in yet.

I'll take a look now, hopefully I can find a way to fix this without reverting the commit entirely as I am pretty sure it was fixing some other oddball issues.

[Seldaek]

Alright if y'all can verify that a composer self-update --snapshot fixes your problems that'd be great if so I'll try and push out a release soon.

[Toflar]

Ran composer update && behat && phpunit 10 times in a row, no issues anymore. Looks good! Thank you Jordi!!

[cameronterry]

I can confirmed the issue appears to be resolved, @Seldaek. Thank you very much!

[Seldaek]

v1.6.5 is out

[zhtrios]

This works for me in:

Generate your Bundle in your bin folder with

./console generate:bundle

And follow the steps as always, now, do what you want in your composer.json file with the line

"AppBundle\\": "src/AppBundle"

Replace with "": "src/" or add your bundle, for example: "BackendBundle\\": "src/BackendBundle"

Here's the new part:

1. Install composer in your bin directory, copy and paste the steps from https://getcomposer.org/download/

2. Up a level in your project directory, and in your root folder (of your project) run the next command

php ./bin/composer.phar update