Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Composer 'update-lockfile' does not respect in-range updates for ^1.2 #8250

Closed
1 of 5 tasks
annuh opened this issue Jan 11, 2021 · 4 comments · Fixed by #8391
Closed
1 of 5 tasks

Composer 'update-lockfile' does not respect in-range updates for ^1.2 #8250

annuh opened this issue Jan 11, 2021 · 4 comments · Fixed by #8391
Assignees
@zharinov
Labels
priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others status:in-progress Someone is working on implementation type:bug Bug fix of existing functionality

Comments

@annuh
Copy link

annuh commented Jan 11, 2021
edited

What Renovate type, platform and version are you using?

Self-hosted (v24.12.3)

Describe the bug

Some of the dependencies in our composer.json file are using caret-style constraints (like ^3.0) to define allowed updates. So an update from v3.3.2 to v3.4.0 is 'in-range'.

We are using Renovate's '"rangeStrategy": "update-lockfile" option. For the example above (v3.4.0 -> v3.7.2) I expected that Renovate would only update the lockfile and not the composer.json as well.

According to the documentation: https://docs.renovatebot.com/configuration-options/#rangestrategy

update-lockfile = Update the lock file when in-range updates are available, otherwise replace for updates out of range. Works for bundler, composer, npm, and yarn, so far

However Renovate is creating PR's like this:

image

composer.json:
-        "doctrine/doctrine-fixtures-bundle": "^3.0",
+        "doctrine/doctrine-fixtures-bundle": "^3.4",

composer.lock:
-   "content-hash": "573ac5d6a30cfe5b8ed65853a53e6023",
+   "content-hash": "d2e4c065ca48a6736deec11067c13a99",
      "packages": {
            "name": "doctrine/doctrine-fixtures-bundle",
-            "version": "3.3.2",
+           "version": "3.4.0",

So Renovate updates composer.lock, which is expected, but is also updates composer.json, which is unexpected because the updated dependency is in-range of the defined constraint (^3.0).

Updating the composer.json also results in a new 'content-hash' in the composer.lock file which causes conflicts to the composer.lock file when merging multiple Renovate PR's.

Is it expected that caret-like constraints should be defined as strict as possible or is this indeed a bug in Renovate?

I hope this bug report is clear enough.

Relevant debug logs

# renovate.json

{
    "extends": [
        "config:base"
    ],
    "enabledManagers": [
        "composer",
    ],
    "rangeStrategy": "update-lockfile",
    "rebaseWhen": "conflicted"
}

Have you created a minimal reproduction repository?

https://github.com/annuh/renovate-issue-8250

  • This is a really small bug, it does not need a reproduction (think small typo)
  • I have provided a minimal reproduction repository
  • I don't have time for that, but it happens in a public repository I have linked to
  • I don't have time for that, and cannot share my private repository
  • The nature of this bug means it's impossible to reproduce publicly

Additional context

^v1.2 vs ^v1.2.3
It seems this issue is caused because the dependency constraint is not 'strict' enough. Another update for v0.9.6 results in a PR with only an updated composer.lock file.
@viceice viceice added the auto:reproduction A minimal reproduction is necessary to proceed label Jan 11, 2021
@viceice
Copy link
Member

viceice commented Jan 11, 2021

Please create a reproduction repo.

Please do not delete issue template sections.

@viceice viceice added the priority-4-low Low priority, unlikely to be done unless it becomes important to more people label Jan 11, 2021
@annuh
Copy link
Author

annuh commented Jan 11, 2021
edited

Please create a reproduction repo.

You were fast 🙂 I've updated the bug report and created a reproduction repository: https://github.com/annuh/renovate-issue-8250

@rarkins
Copy link
Collaborator

rarkins commented Jan 11, 2021
edited

It does seem to be specific to update-lockfile and "short" ranges (e.g. v5.1 but not v5.1.0). I checked against our composer versioning and it passes as expected:

image

@rarkins rarkins added priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others reproduced ✔️ type:bug Bug fix of existing functionality and removed priority-4-low Low priority, unlikely to be done unless it becomes important to more people auto:reproduction A minimal reproduction is necessary to proceed labels Jan 11, 2021
@zharinov zharinov added status:in-progress Someone is working on implementation and removed status:ready labels Jan 13, 2021
@zharinov zharinov mentioned this issue Jan 22, 2021
Merged
5 tasks
@renovate-release
Copy link
Collaborator

🎉 This issue has been resolved in version 24.27.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 23, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zharinov zharinov

Labels
priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others status:in-progress Someone is working on implementation type:bug Bug fix of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(composer): Fix wrong getNewValue results for 'update-lockfile' zharinov/renovate
5 participants
@zharinov @viceice @annuh @rarkins @renovate-release