Adding composer.lock in VCS ?

[drupol]

Hi there,

I'm writing to suggest an enhancement for the vimeo/psalm project to improve its integration and ensure long-term reliability, particularly for package managers like apt, rpm, yum, nix, etc etc.

The primary goal here is to enable reproducibility of the exact build of the PHAR released, down to the last bit. This is crucial, especially when distributing it as a binary for reasons of reliability and security.

To achieve this, I propose adding a composer.lock file to the vimeo/psalm repository. This file will ensure that psalm is reproducible on any system, regardless of environmental differences, by locking down specific versions of dependencies. Its absence currently hinders the ability to precisely replicate the builds you provide in your GitHub releases, introducing potential variability.

For example, in Nix, we have to provide our own composer.lock for each update, as seen here: NixOS/nixpkgs#271920

For reference, here are some projects that have recognized the value of versioning the composer.lock file:

• Add composer.lock sebastianbergmann/phpunit#5576
• Consider adding a composer.lock file in the repository bobthecow/psysh#767
• Consider adding a composer.lock file in the repository phpro/grumphp#1095
• phpbench: init at 1.2.14 NixOS/nixpkgs#255253
• https://github.com/phpstan/phpstan-src/blob/1.11.x/composer.lock

If there are concerns about including the composer.lock file in the main repository, could it be an option to add it to the release artifacts on GitHub instead? This compromise would still greatly benefit reproducibility and consistency in dependency management.

Thank you for considering this enhancement. I look forward to your response.

[psalm-github-bot]

Hey @drupol, can you reproduce the issue on https://psalm.dev ?

[drupol]

Hey @drupol, can you reproduce the issue on https://psalm.dev ?

No, but I cannot reproduce the Psalm PHAR on my local machine 🥲

[danog]

Hi @drupol, note that the composer versions of the packages used to build the phar are already included inside of the phar, in the phar-versions.php file, you could use that instead of composer.lock.

[danog]

Mmm though only the versions Psalm and php-parser are included... I'll merge a commit to also bundle the entire composer.lock as well.

[drupol]

That could be a potential solution, as long as we can extract the composer.lock used to build the phar, I'm happy!

I think in PHPUnit they had a command to print-out the composer.lock file, that could also be a cool thing.

[weirdan]

Providing composer lock bundled with built artifacts (such as phar file) is definitely a good idea. Adding it to VCS is a lot less beneficial and can actually lead to 'works on my machine' situations because composer ignores composer.lock files of your dependencies (see https://getcomposer.org/doc/02-libraries.md#lock-file).