Composer: Support stability constraints for packages

[archnode]

What would you like Renovate to be able to do?
It would be great if renovate could support composer stability constraints on package definitions in composer.json.

Additionally I think that the "minimum-stability" flag should be honored, as packages can depend on other packages that don't fullfill the minimum-stability requirement which causes the update of packages to fail with renovate.

Describe the solution you'd like
Having renovate honor the additional criteria that composer users.

Describe alternatives you've considered
As composer is notorious for having a few quirks in package resolution I wonder if it wouldn't be easier to determine the individual upgradeable packages using composer and parsing the output back to renovate instead of having a javascript-based reimplementation.

Additional context
If you install a package only available at a certain stability, the stability constraint is set in the composer.json. Having support for this in renovate would certainly make this smoother for existing projects.

[rarkins]

Do you have any examples of incorrect upgrades that Renovate is proposing?

[archnode]

One thing I encountered: Renovate wants to update Package A to v1.0.5 which has a minimum requirement for Package B v1.0.5 (which is only available with stability "dev"). Composer can't resolve this dependency, as this doesn't correspond to minimum stability.

[rarkins]

If you are able to reproduce anything like this with a composer.json/composer.lock, I'd be happy to take a look and assess against our current approach.

[archnode]

Would it make sense to split the topic of stability constraint resolution into a seperate issue? My core problem with stability constraints is that packages with a version range like "^1.0@alpha" are skipped entirely, as this isn't recognized as a valid version range.

[rarkins]

Sounds like we should fix that first. It would be done in our composer semver versioning module

[JorisVanEijden]

I have set up a repro repo for this issue: https://github.com/JorisVanEijden/renovate-repro
I used the drupal/private_message package because this is what triggered the bug for me.

Conditions:

• composer.json minimum-stability is "dev"
• range in composer.json is ^2.0
• installed version in composer.lock is 2.0.0@beta16
• there are no non-beta 2.x versions of the package available
• rangeStrategy is "update-lockfile"

Renovatebot chokes on this with the following error:

{
  "err": {
    "message": "Cannot read property 'replace' of null",
    "stack": "TypeError: Cannot read property 'replace' of null
    at normalizeVersion (/home/ubuntu/renovateapp/node_modules/renovate/dist/versioning/composer/index.js:46:21)
    at composer2npm (/home/ubuntu/renovateapp/node_modules/renovate/dist/versioning/composer/index.js:50:24)
    at Object.getMajor (/home/ubuntu/renovateapp/node_modules/renovate/dist/versioning/composer/index.js:66:66)
    at Object.getBucket (/home/ubuntu/renovateapp/node_modules/renovate/dist/workers/repository/process/lookup/bucket.js:9:34)
    at Object.lookupUpdates (/home/ubuntu/renovateapp/node_modules/renovate/dist/workers/repository/process/lookup/index.js:156:37)
    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at async fetchDepUpdates (/home/ubuntu/renovateapp/node_modules/renovate/dist/workers/repository/process/fetch.js:39:32)
    at async /home/ubuntu/renovateapp/node_modules/p-map/index.js:57:22"
  }
}

[rarkins]

@JorisVanEijden can you file that as a bug instead? We should not be causing internal errors even if not supporting constraint-based lookups yet.

[JorisVanEijden]

The internal error is resolved but the minimum-stability property is not yet supported.

A possible fix would be to add the value of composer's minimum-stability to the versions when reading the composer.json, if there is not already a stability qualifier present. Somewhere in

renovate/lib/manager/composer/extract.ts

Line 81 in b78b483

export async function extractPackageFile(

So that "^2.0" becomes:

"^2.0" with default minimum-stability of "stable"
"^2.0@dev" when minimum-stability is "dev"
"^2.0@beta"
etc.
https://getcomposer.org/doc/04-schema.md#minimum-stability

[github-actions[bot]]

Hi there,

Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction.

We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team