bower package install failed

[lan143]

Today, I ran into a problem when trying to update the packages through composer update. None of the packages Bower-Assets has not been found and update fails. But Bower the work. Log:

Installing yiisoft/yii2-app-basic (2.0.10)
  - Installing yiisoft/yii2-app-basic (2.0.10)
    Downloading: 100%

Created project in test
Loading composer repositories with package information
Updating dependencies (including require-dev)
  - Installing yiisoft/yii2-composer (2.0.4)
    Loading from cache

  - Installing swiftmailer/swiftmailer (v5.4.4)
    Loading from cache

  - Installing bower-asset/jquery (1.12.4)
    Downloading: Failed
    Failed to download bower-asset/jquery from dist: The "https://api.github.com/repos/bower-asset/jquery/zipball/a76fe112f860279382d9f6336fe040fd8f8aa13d" file could not be downloaded (HTTP/1.1 404 Not Found)
    Now trying to download from source
  - Installing bower-asset/jquery (1.12.4)
    Cloning a76fe112f860279382d9f6336fe040fd8f8aa13d
The authenticity of host 'github.com (192.30.253.112)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes


  [RuntimeException]
  Failed to clone https://github.com/bower-asset/jquery.git via https, ssh protocols, aborting.
  - https://github.com/bower-asset/jquery.git
    Cloning into '/home/triya/test/vendor/bower-asset/jquery'...
    remote: Invalid username or password.
    fatal: Authentication failed for 'https://github.com/bower-asset/jquery.git/'
  - git@github.com:bower-asset/jquery.git
    Cloning into '/home/triya/test/vendor/bower-asset/jquery'...
    Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.
    Permission denied (publickey).
    fatal: Could not read from remote repository.

    Please make sure you have the correct access rights
    and the repository exists.


create-project [-s|--stability STABILITY] [--prefer-source] [--prefer-dist] [--repository REPOSITORY] [--repository-url REPOSITORY-URL] [--dev] [--no-dev] [--no-custom-installers] [--no-scripts] [--no-progress] [--no-secure-http] [--keep-vcs] [--no-install] [--ignore-platform-reqs] [--] [<package>] [<directory>] [<version>]

Composer and assets plugin is latest version.

[jmmerino]

Same here....

When I do a composer install, composer fails because a "bower-asset/XXX" dependency.

It fails with a message like this:

I checked out the repos in https://github.com/bower-asset and all of them are private or they have been removed.... Is there anything I'm missing?.

Yii2: v2.0.10
fxp/composer-asset-plugin: v1.2.2
composer.json:

{
  "name": "yiisoft/yii2-app-advanced",
  "description": "Yii 2 Advanced Application Template",
  "keywords": [
    "yii2",
    "framework",
    "advanced",
    "application template"
  ],
  "homepage": "http://www.yiiframework.com/",
  "type": "project",
  "license": "BSD-3-Clause",
  "support": {
    "issues": "https://github.com/yiisoft/yii2/issues?state=open",
    "forum": "http://www.yiiframework.com/forum/",
    "wiki": "http://www.yiiframework.com/wiki/",
    "irc": "irc://irc.freenode.net/yii",
    "source": "https://github.com/yiisoft/yii2"
  },
  "minimum-stability": "stable",
  "require": {
    "php": ">=5.4.0",
    "yiisoft/yii2": "2.0.*",
    "yiisoft/yii2-swiftmailer": "*",
    "facebook/php-sdk-v4": "4.0.*",
    "google/apiclient": "2.1.0",
    "nickcv/yii2-mandrill": "*",
    "linslin/yii2-curl": "1.0.5",
    "yiisoft/yii2-twig": "~2.0.0",
    "yiisoft/yii2-jui": "~2.0.0.0",
    "kartik-v/yii2-widget-datetimepicker": "~1.4.2",
    "kartik-v/yii2-widget-select2": "*",
    "quaderno/quaderno": "1.*",
    "yiisoft/yii2-redis": "~2.0.0",
    "moonlandsoft/yii2-phpexcel": "*",
    "yiisoft/yii2-bootstrap": "~2.0.0",
    "stripe/stripe-php": "^3.13",
    "php-amqplib/php-amqplib": "^2.6",
    "hellogerard/jobby": "^3.0",
    "katzgrau/klogger": "dev-master",
    "league/oauth2-client": "^1.4",
    "guzzlehttp/guzzle": "^6.2",
    "mobiledetect/mobiledetectlib": "^2.8",
    "bazilio/yii2-newrelic": "~0.0.1",
    "frostealth/yii2-aws-s3": "~1.0@stable"
  },
  "require-dev": {
    "icanboogie/inflector": "*",
    "yiisoft/yii2-codeception": "*",
    "yiisoft/yii2-debug": "*",
    "yiisoft/yii2-gii": "*",
    "yiisoft/yii2-faker": "*",
    "flow/jsonpath": "*",
    "codeception/codeception": "~2.1 !=2.1.5 !=2.2.3 !=2.2.6 !=2.2.7",
    "codeception/specify": "*",
    "codeception/verify": "*",
    "deployphp/recipes": "~3.0",
    "site5/phantoman": "^1.1"
  },
  "autoload": {
    "psr-4": {
      "queue\\": "queue/src/"
    }
  },
  "config": {
    "process-timeout": 1800,
    "github-oauth": {
      "github.com": "XXXXXXX"
    }
  },
  "extra": {
    "asset-installer-paths": {
      "npm-asset-library": "vendor/npm",
      "bower-asset-library": "vendor/bower"
    }
  }
}

[inacho]

Same problem 😢

[diegoparkingdoor]

Same case here:

[francoispluchino]

It sounds like a problem with Packagist ! see https://packagist.org/search/?q=bower-asset, Now, Packagist references the virtual packages.

[francoispluchino]

I think I have found the problem. Since the v2.0 of Punycode.js, the bower.json file no longer exists. So the plugin does not replace the name in the download links. I am working on a fix of the problem.

[francoispluchino]

Only the 1.3.2 version of Punycode.js has a bug. But this is also the case for the 1.12.4 version of Jquery.

For the moment, add this constraint in your composer project file:

{
    "require": {
        "bower-asset/punycode": "^1.3.0 !=1.3.2",
        "bower-asset/jquery": "^1.12 !=1.12.4"
    }
}

[rezident]

I've had the same problem with jquery.inputmask 3.3.3

[mrserg161]

bower-asset/jquery

[rezident]

My project requires Yii2. For its part, Yii2 requires this bad dependencies. We are waiting for fix composer asset plugin.

[nadar]

@rezident Maybe creating an issue on https://github.com/yiisoft/yii2 as there will be a lot of other users affected by this problem. Me as well. This is absolutely the downside of such frameworks relating to other library's and plugins.

[jmmerino]

@nadar yiisoft/yii2#13247 😉

[francoispluchino]

After removing my Composer caches, I confirm that the problem comes from Packagist. Composer downloads a list of repository providers in COMPOSER_HOME/repo/https---packagist.org/provider-bower-asset$jquery.json (for jquery).

The problem comes with the virtual packages referenced by many packages with provide and replace section.

[francoispluchino]

The problem is with the packages:

• cebe/assetfree-yii2
• yidas/yii2-composer-bower-skip

[SilverFire]

For those who faced this problem - try https://asset-packagist.org as an alternative.

[cebe]

@francoispluchino I see the problem but why does it only appear today? The package cebe/assetfree-yii2 exists on packagist for over 9 month now.

[francoispluchino]

@SilverFire You're going to have the same problem, Because the packages referenced in Packagist are retrieved before the others.

[diegoparkingdoor]

@cebe because I think that the fallback repo was github repo, and it disappeared today.

[cebe]

@diegoparkingdoor what is "fallback repo"? can you give more info or a link?

[bizley]

I confirm all works after switching to https://asset-packagist.org (bower-asset/jquery was the problem before).

[francoispluchino]

In the file COMPOSER_HOME/repo/https---packagist.org/provider-bower-asset$jquery.json:

{
  "packages": {
    "bower-asset\/jquery": {
      "1.12.4": {
        "name": "bower-asset\/jquery",
        "description": "Distribution repo for jQuery Core releases.",
        "keywords": [],
        "homepage": "",
        "version": "1.12.4",
        "version_normalized": "1.12.4.0",
        "license": [],
        "authors": [],
        "source": {
          "type": "git",
          "url": "https:\/\/github.com\/bower-asset\/jquery.git",
          "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d"
        },
        "dist": {
          "type": "zip",
          "url": "https:\/\/api.github.com\/repos\/bower-asset\/jquery\/zipball\/a76fe112f860279382d9f6336fe040fd8f8aa13d",
          "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d",
          "shasum": ""
        },
        "type": "library",
        "time": "2016-12-19T07:13:46+00:00",
        "uid": 1133121
      },
      //....
    }
  }
}

It's the source url and the dist url that are used.

[cebe]

why are these added there, the package is virtual on packagist, it should not have any source or dist urls.

[cebe]

is that something created by packagist.org?

[cebe]

might be. I did not find it on packagist however. https://packagist.org/providers/bower-asset/jquery

[francoispluchino]

@cebe https://packagist.org/search/?q=bower-asset

[cebe]

yes, it is on packagist as a virtual package because of my yii2-asset-free package. but that has been there since I created it.

[bizley]

@francoispluchino

1. vendor & composer.lock removed.
2. composer.json switched back to composer-asset-plugin.
3. composer cache cleared.
4. composer install: same problem with bower-asset/jquery.

So again:

1. vendor & composer.lock removed.
2. composer.json switched to https://asset-packagist.org
3. composer cache cleared.
4. composer install: all works.

[cebe]

Problem analysis, thanks to @alcohol from #composer-dev IRC channel on freenode!

1. Someone was able to create bower-asset/jquery package on packagist. Even though there is a
   virtual package with that name and this newly registered version does not show up in the interface,
   it has two versions listed in the package info json:
   https://packagist.org/p/bower-asset/jquery%242fab1ac0b638d1cc9c9b51a810c84229e91af63a84e7f1c44cf3829aeca1107d.json

"bower-asset/jquery": {

    "1.12.4": {
        "name": "bower-asset/jquery",
        "description": "Distribution repo for jQuery Core releases.",
        "keywords": [ ],
        "homepage": "",
        "version": "1.12.4",
        "version_normalized": "1.12.4.0",
        "license": [ ],
        "authors": [ ],
        "source": {
            "type": "git",
            "url": "https://github.com/bower-asset/jquery.git",
            "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/bower-asset/jquery/zipball/a76fe112f860279382d9f6336fe040fd8f8aa13d",
            "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d",
            "shasum": ""
        },
        "type": "library",
        "time": "2016-12-19T07:13:46+00:00",
        "uid": 1133121
    },
    "dev-master": {
        "name": "bower-asset/jquery",
        "description": "Distribution repo for jQuery Core releases.",
        "keywords": [ ],
        "homepage": "",
        "version": "dev-master",
        "version_normalized": "9999999-dev",
        "license": [
            "Jquery"
        ],
        "authors": [ ],
        "source": {
            "type": "git",
            "url": "https://github.com/bower-asset/jquery.git",
            "reference": "7f3fb476862a87eff31d55d29fcbf1d7f28a576f"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/bower-asset/jquery/zipball/7f3fb476862a87eff31d55d29fcbf1d7f28a576f",
            "reference": "7f3fb476862a87eff31d55d29fcbf1d7f28a576f",
            "shasum": ""
        },
        "type": "library",
        "time": "2016-12-19T07:15:56+00:00",
        "uid": 1133122
    }

},

2. it is unclear to me how that package exists on packagist as the namespace is still free. There should be vendor name protection but I was just able to register https://packagist.org/packages/bower-asset/namespace-placeholder-xyz without failure.

[SilverFire]

@Seldaek is is possible to drop those packages from Packagist.org?

[cebe]

I just reported it to packagist here: composer/packagist#756

[erikverheij]

As a workaround I added the package to the replace section in my composer file.

"replace": {
    "bower-asset/jquery": "*",
},

Note that you'll have to make sure to include jquery manually if you need it. This is just a quick fix that may help you until the issue has been resolved.

[francoispluchino]

@erikverheij Maybe include a replacement of all asset packages from the plugin?

[cebe]

@francoispluchino as far as I see only the package that is advertised by packagist are affected, which are jquery and punycode so far.

[francoispluchino]

@erikverheij There is a problem with your solution:

{
  "require": {
    "bower-asset/jquery": "1.12.4"
  },
  "replace": {
    "bower-asset/jquery": "*"
  }
}

$ composer install --prefer-dist -v
Loading composer repositories with package information
Updating dependencies (including require-dev)
Adding VCS repository bower-asset/jquery
Reading bower.json of bower-asset/jquery (1.12.4)
Importing tag 1.12.4 (1.12.4.0)
Dependency resolution completed in 0.000 seconds
Analyzed 89 packages to resolve dependencies
Analyzed 72 rules to resolve dependencies
Nothing to install or update
Generating autoload files

The package is not installed.

[cebe]

The problem can be worked around by adding the following to your composer.json:

    "require": {
...
        "bower-asset/jquery": "<1.12.4",
        "bower-asset/punycode": "<1.3.2"
    },

This will exclude the versions that have been added wrongly to packagist and will allow the asset plugin to install the correct packages.

[francoispluchino]

@cebe This was my proposal, but the problem still exists after cleaning the cache.

[cebe]

it did work for me with clean cache here...

[francoispluchino]

@cebe It did not work for me with the full example of @jmmerino and my patch, because I forgot to add that of jquery. No comment...

Add that, solves the problem of my previous comment:

{
    "require": {
        "bower-asset/punycode": "^1.3.0 !=1.3.2",
        "bower-asset/jquery": "^1.12 !=1.12.4"
    }
}

But it will not fix the problem definitely. It is enough that the guy updates his package, or adds others, and the problem will continue.

[cebe]

Sure, this is just a workaround for now.

Btw, I have registered:

• https://packagist.org/packages/bower-asset/namespace-placeholder-xyz
• https://packagist.org/packages/npm-asset/namespace-placeholder-xyz

to reserve the vendor namespaces on packagist, when composer/packagist#756 gets fixed, this should prevent such issues form happening in the future.

[francoispluchino]

@cebe With your proposal, reserved only one package name with vendor name, is enough to reserve the vendor name?

[francoispluchino]

Packagist is now cleaned. And the install is ok. Thanks to @cebe and @Seldaek.

[rezident]

@francoispluchino I confirm it! Thank you very much!

[francoispluchino]

@cebe Maybe transfert the github repositories bower-asset/namespace-placeholder-xyz and npm-asset/namespace-placeholder-xyz to @fxpio.

[cebe]

With your proposal, reserved only one package name with vendor name, is enough to reserve the vendor name?

@francoispluchino yes, see composer/packagist#163 (comment)

[cebe]

@francoispluchino I am trying to register the names on github as well. Contacted github about https://github.com/bower-asset and @SilverFire has registered https://github.com/npm-asset

will add you as owner too when it is done.

[SilverFire]

For the case I've registered bower-asset and npm-asset users on Packagist.org as well

[cebe]

For the case I've registered bower-asset and npm-asset users on Packagist.org

afaik, that does not help anything as user names on packagist have no special purpose.

[SilverFire]

Yes, I know that. That's why I've said "just for case"