Composer 'update-lockfile' does not respect in-range updates for ^1.2 #8250
Labels
priority-3-medium
Default priority, "should be done" but isn't prioritised ahead of others
status:in-progress
Someone is working on implementation
type:bug
Bug fix of existing functionality
What Renovate type, platform and version are you using?
Self-hosted (v24.12.3)
Describe the bug
Some of the dependencies in our composer.json file are using caret-style constraints (like
^3.0
) to define allowed updates. So an update fromv3.3.2
tov3.4.0
is 'in-range'.We are using Renovate's
'"rangeStrategy": "update-lockfile"
option. For the example above (v3.4.0 -> v3.7.2
) I expected that Renovate would only update the lockfile and not thecomposer.json
as well.According to the documentation: https://docs.renovatebot.com/configuration-options/#rangestrategy
However Renovate is creating PR's like this:
So Renovate updates
composer.lock
, which is expected, but is also updatescomposer.json
, which is unexpected because the updated dependency is in-range of the defined constraint (^3.0
).Updating the
composer.json
also results in a new 'content-hash' in thecomposer.lock
file which causes conflicts to thecomposer.lock
file when merging multiple Renovate PR's.Is it expected that caret-like constraints should be defined as strict as possible or is this indeed a bug in Renovate?
I hope this bug report is clear enough.
Relevant debug logs
Have you created a minimal reproduction repository?
https://github.com/annuh/renovate-issue-8250
Additional context
^v1.2 vs ^v1.2.3
It seems this issue is caused because the dependency constraint is not 'strict' enough. Another update for
v0.9.6
results in a PR with only an updatedcomposer.lock
file.The text was updated successfully, but these errors were encountered: