New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use drupal/core-recommended #477
Comments
Looks like there is a new issue (#480 and https://www.drupal.org/project/drupal/issues/3045349) that would have been mitigated by using Seems like a reasonable idea to default to using core dependencies that have been tested? This is probably something that most people want most of the time? |
And another: https://www.drupal.org/project/drupal/issues/3051269 |
See #264. I still am of the mind that most people need drupal-core-strict, and most people do not need drupal-core-require-dev most of the time, and would rather see the former here than the later if we had to pick just one. It would be neat of Composer would actually have features to support these kinds of projects directly. The current model makes |
I guess the importance of DX depends on the intended users/use cases for this project? My impression is that |
As for the issue of DX, users must learn one new trick: I think the benefits of protecting inexperienced users from being the first to discover bugs in dependencies is a good tradeoff. |
These webflo packages are only providing a workaround by "imitating" composer project behavior on a composer library. |
Lowest testing would solve issues such as https://www.drupal.org/project/drupal/issues/2965887. I disagree with the premise that highest testing would obviate the need for drupal-core-strict, though. It has happened a number of times that some dependency of drupal/core has released a new version that had some bug or issue that expressed itself in Drupal. These issues would be detected, but not prevented by highest testing. Historically, these bugs have been detected and fixed very quickly. They still cause a lot of disruption for a lot of people; I assert that drupal/core is neither a project nor a library in the Composer sense of the word. It is something else that is not supported by Composer. See concept of parent projects in reposer. |
Yes, I am very well aware of these issues, especially the Twig ones, but I believe those only affected new installations and they could be revealed before they would break production sites if developers performed proper testing before prod deploys. The reason is simple, in case of existing projects where the composer.lock is in VCS, always the "latest stable and tested dependencies" gets installed when a new environment is created. So even if a Drupal core dependency introduces a breaking change or a bug, it could be found before updating the installed versions in a project's composer.lock.
Yes, it could avoid this problem, although I would rather call it "hiding". If you install I would rather aim for a less drastic and more practical solution to eliminate or precisely identify those Drupal core dependency updates that could break Drupal sites. This could be achieved with the highest testing. If a highest test would run on Drupal core in every hour for example and it would always install the latest available versions from all packages then breaking changes could be identified almost immediately and developers could be notified on various channels that something needs to be fixed and which dependency version should be installed until the fix is available. |
This is not the case. Sites not running drupal-core-strict have been broken by running
Historically, when breaking changes like this happen today, they are identified on the same day, and core developers are aware right away. However, it takes more than an hour to make a Drupal release. I think last time it was a day or two. That's a decent window in which users not using drupal-core-strict can become confused and/or inconvenienced. While I agree that highest testing provides value (c.f. g1a/composer-test-scenarios), it is not a substitute for drupal-core-strict. |
Some of the problems caused by Twig were fixed in later versions. I believe the Symfony problem was caused by a change that affected how Drupal was incorrectly using Symfony. Part of the issue is when old versions of Drupal are used to create dev sites and versions aren't locked, or creating a new site/updating current site with only |
It is likely that Drupal 8.8.0 will support Composer-managed Drupal sites with (and without) a relocated document root, and it is also likely that once this is supported, some equivalent to webflo/drupal-core-strict will be provided. Given that, perhaps it is no longer necessary to introduce that project here. |
The official Drupal documentation on Composer states that "the recommended approach (especially for beginners to Composer) is to use the composer template at Based on comments here Hopefully the new official way will be better for beginners who just want to install and update a regular Drupal site. However, until it is available and widely adopted, I think a lot of beginners to Composer will continue to use this project. |
Checking the webflow/drupal-core-require-dev 8.7.6 composer.json requires a fixed drupal version. If both are fixed, couldn't the version in the drupal-core/drupal-project for webflo be allowed to float and let composer find the correct webflo for the drupal version specified in the base composer.json? That would allow a webflo/drupal-core-strict:^8.0.0 to be a dependency that wouldn't need to be specified, but "composer update drupal/core --with-dependencies" would work for either strict or require-dev? And could the drupal-composer/drupal-project list dev dependencies, but not install them unless dev was overridden? As far as webflo/drupal-core-require-dev allowing updates to versions with problems, it would be easy to have a release date added to the require-dev (i.e. 8.7.6.20190816) to allow for the version to be updated to add a conflict "twig/twig": "^1.40.0" or "twig/twig": "1.40.0" depending on whether it is a change they fixed in the next release, or just showing up an error in drupal code, like symfony/http-foundation did. The reason for all this is that people need to go back to older versions for various reasons, or can't update yet. I've seen people raising issues in slack and posting multiple issues on d.o whenever these problems come up, even after they are fixed. Maybe auto-updates and composer-in-core will fix all this, but we need to look at better ways of using composer. |
I think it's a bug that webflo/drupal-core-strict does not have a restriction on drupal/core. Without it, The best solution to this is to have webflo/drupal-core-strict require |
It probably should be |
Looks done to me. |
The 8 branch still needs to be done. https://github.com/drupal-composer/drupal-project/blob/8.x/composer.json |
D8 is not supported anymore. |
Considering how much trouble the recent Twig 1.38.x issues seem to have caused, should
webflo/drupal-core-strict
be added? I always add it to mydrupal-composer/drupal-project
-based projects.The text was updated successfully, but these errors were encountered: