Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keep composer.json and composer.lock synchronised at all times #6058

Closed
mgazdzik opened this Issue Aug 25, 2014 · 10 comments

Comments

Projects
None yet
4 participants
@mgazdzik
Copy link
Contributor

commented Aug 25, 2014

Due to possibility of using Piwik as dependency (i.e. for automating build and deploy process) it would be great to keep those 2 files synchronised at all times, and in specific it involves using strict versioning in composer.json to avoid uncontrolled version switches which could break deployment procedure.

@tsteur

This comment has been minimized.

Copy link
Member

commented Sep 23, 2014

Is there something still to do? Shouldn't we still possible to define versions like ">= 3.4.0" as long as we always commit the composer.lock file?

@mgazdzik

This comment has been minimized.

Copy link
Contributor Author

commented Sep 23, 2014

It might be causing a BC breaks for older versions. I.e - in Piwik 2.5.0 there is some certain version of library in composer.lock (which contains exact commit mark), and >= 1.0.0 in composer.json . After version bump of this single library installation from composer.lock will still work fine, while installing as dependency will fail (newer version would be cloned).

@tsteur

This comment has been minimized.

Copy link
Member

commented Sep 23, 2014

I think I got it! Or maybe not...

Shoudn't "composer install" prevent exactly this? I thought composer.lock always saves a fixed version number and as long as someone is not using "composer update" everything should be fine? Even for older versions of Piwik and even if there is a new version of a used library.

If there is a composer.lock file in the current directory, it will use the exact versions from there instead of resolving them. This ensures that everyone using the library will get the same versions of the dependencies.

Jog my memory. I'm usually not installing it as a dependency therefore I need a helping hand ;)

@mattab mattab modified the milestones: Piwik 2.8.0, Piwik 2.9.0 Oct 2, 2014

@tsteur

This comment has been minimized.

Copy link
Member

commented Oct 15, 2014

@mgazdzik is there still something to do?

@mgazdzik

This comment has been minimized.

Copy link
Contributor Author

commented Oct 15, 2014

@tsteur - sorry for late reply, I didin't notice your previous comment before. As far as I remember, when downloading Piwik as dependency - composer.lock file is simply not even parsed by main composer, only dependencies from composer.json are being downloaded according to its constraints.

Please let me know if this explaination is sufficient or you would like me to reffer to some documentation (currently I'm speaking basing on experience)

@tsteur

This comment has been minimized.

Copy link
Member

commented Oct 15, 2014

OK, so the conclusion is that we have to specify exact version numbers in composer.json? Wondering how we still can get updates without having to check for updates manually.

@mnapoli

This comment has been minimized.

Copy link
Contributor

commented Oct 15, 2014

Here is the current composer.json:

    "require": {
        "php": ">=5.3.3",
        "twig/twig": "1.*",
        "leafo/lessphp": "0.4",
        "symfony/console": ">=v2.3.5",
        "tedivm/jshrink": "v0.5.1",
        "mustangostang/spyc": "0.5.*",
        "piwik/device-detector": "2.*",
        "piwik/decompress": "~0.1.0"
    }

What we could do is strengthen the version constraints so that we minimize the risks of BC breaks in dependencies. Putting exact version numbers in there (like "tedivm/jshrink": "v0.5.1") is going a bit too far IMO (unless there's a good reason). We will fall behind new versions too fast and too far.

If, for a library, we can safely assume that there will be no BC breaks between patch releases (semver enforced), then we could use version constraints like this for every dependency: 2.1.* (or ~2.1.0 which is roughly the same). Eg Symfony commit to "no BC breaks for minors" so we could use ~2.3.

What we must not do is:

  • >=v2.3.5 because when 3.0.0 gets out it will be installed!
  • v0.5.1 unless there is no good reason. When I look at the project I read: v0.5.2: The JShrink code itself is unchanged, and you should be able to update without issue. I also see he released a v1.0.0, so we should consider updating when we get some time to review.

About "twig/twig": "1.*" are we sure twig keeps BC between minors?

Anyway, here is a suggestion:

    "require": {
        "php": ">=5.3.3",
        "twig/twig": "~1.0",
        "leafo/lessphp": "~0.4.0",
        "symfony/console": "~2.3",
        "tedivm/jshrink": "~0.5.1",
        "mustangostang/spyc": "~0.5.0",
        "piwik/device-detector": "~2.0",
        "piwik/decompress": "~0.1.0"
    }

TL/DR:

  • ~1.0 for packages following semver strictly because it shouldn't break between minors
  • ~1.0.0 for other packages because patch releases should have a very low risk of BC breaks
@tsteur

This comment has been minimized.

Copy link
Member

commented Oct 15, 2014

sounds good

@mgazdzik

This comment has been minimized.

Copy link
Contributor Author

commented Oct 16, 2014

@mnapoli yeah, sounds good to me as well. We should be all good as long as we provide strict enoguh constraints to avoid situations like in this PR https://github.com/piwik/piwik/pull/6043/files

mnapoli added a commit that referenced this issue Oct 16, 2014

@mnapoli mnapoli self-assigned this Oct 18, 2014

mattab pushed a commit that referenced this issue Oct 20, 2014

Matthieu Aubry
Merge pull request #6458 from piwik/composer.json-update
Updated composer constraints for #6058
@mnapoli

This comment has been minimized.

Copy link
Contributor

commented Oct 20, 2014

The pull request has been merged.

@mnapoli mnapoli closed this Oct 20, 2014

@mnapoli mnapoli modified the milestones: Piwik 2.8.1, Piwik 2.9.0 Oct 20, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.