composer update fails due to conflicts with league/oauth2-server-bundle / symfony/psr-http-message-bridge

[RobertMe]

Hi,

First off I was unsure whether to report this as a recipes or a Flex issue, but as the issue occurs due to an change in the recipe (index) I think this would be a better place to report it.

I'm working in a project which has a dependency on league/oauth2-server-bundle, in turn this project depends on symfony/psr-http-message-bridge:^2.0. But when we now run composer update (or composer update -W) this fails due to a dependency issue, while a couple of weeks back it still worked fine.

composer update -W
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Restricting packages listed in "symfony/symfony" to "^6.3"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires league/oauth2-server-bundle ^0.5.0 -> satisfiable by league/oauth2-server-bundle[v0.5.0].
    - league/oauth2-server-bundle v0.5.0 requires symfony/psr-http-message-bridge ^2.0 -> found symfony/psr-http-message-bridge[v2.0.0, ..., v2.3.1] but these were not loaded, likely because it conflicts with another require.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

I could however manually update all packages by name, as long as I didn't try to update symfony/* (or presumably: as long as I didn't try to update symfony/psr-http-message-bridge)

After further investigation the problem was found to be related with our project having the extra.symfony.require property set to ^6.3 (oddly enough it works fine with ^5.4 set). So this meant the issue is related to Flex, and is confirmed by the fact that composer update --no-plugins works just fine.

Further investigation lead me to the recipes index containing the following info:

            "symfony/psr-http-message-bridge": [
                "6.4",
                "7.0"
            ],

which has only been added 3 weeks ago which also could match our time window from composer update working to not working.
Digging into the code further lead me to the conclusion that PackageFilter::removeLegacyPackages doesn't accept this (transitive) dependency because the versions Composer resolves (all versions in the 2.x series) don't match our extra.symfony.require constraint of ^6.3, the fact that this package is part of the recipes index (packages which aren't in the recipes index are always allowed with all versions), and it isn't a root dependency.

As a work-a-round I have now added an explicit dependency on symfony/psr-http-message-bridge to version ^2.3 which makes Flex just accept the Composer proposed versions and not validating it against the extra.symfony.require setting. But IMO this shouldn't be needed (or at least not as long that there is no actual stable release of symfony/psr-http-message-bridge which follows the Symfony versioning scheme, i.e.: as long as there is no stable 6.4 / 7.0).

[nicolas-grekas]

Fixed by symfony/flex#1003