-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate command doesn't detect missing packages anymore, neither does 'update nothing'/'update --lock' #9842
Comments
@Seldaek this looks like a bug of |
I've just looked more thoroughly trough the code for anything that might give this functionality and couldn't find where this should be present. Maybe this was lost during the move to composer 2? If anyone can point me to a place I should look at I'm willing to contribute. I do however doubt when this is not a current feature anymore if this should be really a functionality of the Please let me know how I can contribute! |
@Seldaek I just did a more deep dive, and found the revision where the new behaviour for updating the lock file was introduced with issue #9514 attached. (Installer.php:837-863) You made the same point I was trying to make above, that installing missing packages is "doing a bit more than --lock should do" . I do have some time to open a PR. Wich one of the following would you prefer?
|
So really this seems like a workflow problem more than anything to me. If your way of conflict resolution is "take old lock file from main branch and run composer update --lock to shove stuff under the rug", then it'll not be fine. Adding new requirements or warning if they're missing may fix part of the problem, but not the entire problem. If the PR you merged contained some critical security update for example you just lost that. The correct way to resolve such conflicts is to replay the updates that were done in the branch over the latest lock file, to make sure you get the same versions again (or greater I guess..). |
I agree it should not be a part of anyone's workflow and no incorrect shortcuts should be offered, but when another developer does incorrectly merge there is currently no way of figuring that out besides looking thoroughly at the lock file in pull/merge-requests for the added package(s), something that could potentially be missed. I wholeheartedly agree on the correct way to merge lock files, but have worked in several teams where this workflow was either not clear or developers still took the shortcut because they didn't see or care about the consequences. (hence the PR for the article) Besides, there's currently no way to enforce this correct way of merging aside from only allowing certain people to commit on the lock file. Previously, running What do you think about adding the following error when running
Adding this error would mean that debugging this scenario is more easy (currently you have to run |
Yeah if you can reasonably add that functionality to the ValidateCommand that sounds good to me. Detecting missing packages is fairly easy going through require/require-dev and seeing if the names are provided by the lock repository. Detecting superfluous packages may be a bit trickier, but it's also less important so not sure it's worth doing. |
Since Composer 2.0.0 (still present in 2.0.12), packages that are present in the
composer.json
but are not locked in thecomposer.lock
or installed in the vendor folder are not correctly detected as an out of sync lock file, or resolved when runningcomposer update nothing
orcomposer update --lock
. In composer 1.10.21 and before, this behaviour was correct.Reproduction
composer update
to generate an up to date lock file."composer/semver": "^3.0"
)composer validate
. An error about an out of date lock file is displayed:The lock file is not up to date with the latest changes in composer.json, it is recommended that you run `composer update` or `composer update <package name>`.
composer u nothing
orcomposer u --lock
composer validate
. The warning is now gone implicating the lock file is up to date. The lock file is not up to date however as dependencies from the composer.json are not in the lock file or installed into the vendor folder.Expected behaviour
composer.json
file but not locked in thecomposer.lock
file a warning is displayed when runningcomposer validate
.composer update nothing
orcomposer update --lock
is ran, the package is installed and added to the lock file (How this previously worked in v1.*) or a warning is displayed to not manually add to thecomposer.json
file with a message to runcomposer require vendor/package-name
to require the package correctly and fix the discrepancy between the two files.The text was updated successfully, but these errors were encountered: