composer-update: include direct-dep ancestors of transitives in update args#26
Merged
Merged
Conversation
…e args When a flagged package is a transitive (e.g. roots/wordpress-no-content pulled in by roots/wordpress at self.version), the per-package retry was failing with "roots/wordpress is locked to version X and an update of this package was not requested" -- composer update -W X updates X plus X's dependencies, NOT X's reverse-dependents. For metapackages that pin their sibling at self.version, the parent is locked at the same version as the transitive and won't move unless we list it explicitly. The retry would no-op, the package would land in UNHANDLED, the widen step would then run composer require -W <ancestor> unconstrained, and composer.json would get rewritten (^6.2.3 -> ^6.9 on holmasto #93, ^6.0 -> ^6.9 on jakerakennus-new #24). Lift the direct-deps set + reverse-dep map (already needed by Step 2 BFS) up to the top of the step, extract the BFS into a find_direct_ancestors() helper, and add an expand_args_for() helper that emits name[:constraint] for the flagged package plus the names of its direct-dep ancestor(s) when the package is a transitive. Both the bulk update and the per-package retry consume the expanded arg list, so composer is allowed to move the ancestor within its existing composer.json constraint -- no widening, no composer.json rewrite. Ancestors get no constraint suffix; they are only included so they are eligible for movement, not pinned to the transitive constraint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 19, 2026
oxyc
added a commit
that referenced
this pull request
May 29, 2026
… (+ test suite) (#35) * test(composer-update): unit + integration tests; extract helpers to lib.sh The composer-update logic had no tests and was fragile (every recent fix — #20–#31 — was a production-only discovery). Add a real test suite and make the logic testable. - Extract the helper functions (build_pkg_arg, build_widen_arg, find_direct_ancestors, loosen_constraint, is_still_vulnerable, expand_args_for, get_lock_version) from update.sh into a sourceable scripts/lib.sh. update.sh sources it; behavior is unchanged (the existing no-widen integration test still passes). - Unit tests for the PHP helpers (the fragile version-range logic): - compute-min-safe-constraints: exclusive/inclusive bounds, missing version components, multi-range selection, no-entry fall-throughs. - is-still-vulnerable: in/out of range, multi-range, junk-input fail-safe. - Unit tests for the bash helpers, each tied to the edge case it guards: #27 build_pkg_arg trailing newline, #29 build_widen_arg caret widen, #28 loosen_constraint, #22/#26 find_direct_ancestors BFS + expand_args_for. - Integration tests driving the real update.sh with a fake composer: #24 downgrade revert, #21 dev-* revert, #23 per-package retry isolation, #20 no-widen honored as a JSON array. (Plus the existing no-widen test.) - Fix surfaced by the tests: compute-min-safe-constraints emitted `[]` for an empty result, but update.sh string-indexes that map with `jq '.[$pkg]'`, which errors on a JSON array under `set -eo pipefail`. Encode as `{}`. - CI: composer-update-tests.yml now sets up PHP and runs tests/run.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(composer-update): inclusive-bound (<=) safe-version derivation skips 4-segment hotfixes compute-min-safe-constraints derived ~X.Y.(Z+1) for a <=X.Y.Z advisory. That skips a 4-segment hotfix like X.Y.Z.1, which is >X.Y.Z but <X.Y.(Z+1): the constraint matched no published version, the update no-opped, and the vuln went unpatched (no PR opened). Real case: suomentyokalu / seo-by-rank-math, advisory <=1.0.271, fixed in 1.0.271.1. The derived ~1.0.272 could not resolve. Emit >X.Y.Z,<X.(Y+1).0 instead — a strict-greater lower bound that matches the hotfix while still excluding the vulnerable boundary X.Y.Z, still minor-capped. Teach loosen_constraint() and build_widen_arg() the new range shape (major-cap widen/loosen, boundary stays excluded). Tests: regression case asserting <=1.0.271 -> >1.0.271,<1.1.0 plus Semver checks that 1.0.271.1 is reachable and 1.0.271 is excluded; updated existing <= assertions; helper-fn coverage for the range shape. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: test <test@example.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #25. Verified by re-running the scanner against holmasto and jakerakennus-new: the lock movements are correct (
woocommerce 10.5.2 → 10.5.3,query-monitor → 3.20.4, etc.), but composer.json's wordpress constraint widened unnecessarily (^6.2.3 → ^6.9on holmasto,^6.0 → ^6.9on jakerakennus-new).Root cause
composer update -W Xupdates X plus X's dependencies (downward), not X's reverse-dependents (upward). For metapackages likeroots/wordpressthat pinroots/wordpress-no-contentatself.version, the parent is locked at the same version as the transitive and won't move unless explicitly listed.So
composer update -W "wordpress-no-content:~6.9.2"failed with:The retry no-op'd → package landed in
$UNHANDLED→ widen step rancomposer require -W roots/wordpressunconstrained → composer.json got rewritten.Fix
Lift the direct-deps set + reverse-dep map (already needed by Step 2's BFS) up to the top of the step, extract the BFS into
find_direct_ancestors(), and addexpand_args_for()that emitsname[:constraint]for the flagged package plus the names of its direct-dep ancestor(s) when the package is a transitive. Both the bulk update and the per-package retry consume the expanded arg list — composer is allowed to move the ancestor within its existing composer.json constraint, no widening, no composer.json rewrite.Ancestors get no constraint suffix: they're only included so they're eligible for movement, not pinned to the transitive's tilde range.
Test plan
wordpress-no-content 6.9.1 → 6.9.4etc.) without wideningcomposer.json'sroots/wordpressconstraint from^6.2.3.^6.0.🤖 Generated with Claude Code