composer icon indicating copy to clipboard operation
composer copied to clipboard

Published 20 hours ago verified publisher icon composer

update .lock file to use new repository(mirror)

Open guoard opened this issue 3 years ago • 5 comments

I want to use a mirror to install the composer package so this is my composer.json:

    ...
    ,
    "config": {
        "secure-http":false
    },
    "repositories": [
        {
          "type": "composer",
          "url": "http://localhost:8081/repository/composer-proxy/"
        },
        {
          "packagist.org": false
        }
      ]
    ...

When I run this command: composer install, the composer does not use the mirror to install packages. When I run this command: composer update the composer updates the composer.lock file first and then uses the mirror to install packages.

But I do not want to use the composer update command because it upgrades the version as I know, I just want to update the composer.lock file to use my mirror for installing the package not thing else or any extra work that changes the composer.lock file.

I tried the composer update --lock command but got this error:

Composer is operating significantly slower than normal because you do not have the PHP curl extension enabled.
Loading composer repositories with package information
Warning: Accessing localhost over http which is an insecure protocol.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires league/commonmark == 2.2.0.0, it is found league/commonmark[2.2.0] in the lock file and league/commonmark[dev-decorate-table-output, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.94, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.96, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.98, dev-main, dev-2.2-development, 0.1.0, ..., 0.19.x-dev, 1.0.0-beta1, ..., 1.6.x-dev, 2.0.0-beta1, ..., 2.2.x-dev (alias of dev-main)] from composer repo (http://localhost:8081/repository/composer-proxy) but these do not match your constraint and are therefore not installable. Make sure you either fix the constraint or avoid updating this package to keep the one from the lock file.
  Problem 2
    - Root composer.json requires laravel/framework == 8.80.0.0 -> satisfiable by laravel/framework[v8.80.0].
    - laravel/framework v8.80.0 requires league/commonmark ^1.3|^2.0.2 -> found league/commonmark[dev-main, 1.3.0, ..., 1.6.x-dev, 2.0.2, ..., 2.2.x-dev (alias of dev-main)] but these were not loaded, likely because it conflicts with another require.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades, and removals for packages currently locked to specific versions.

then I tried this command: composer update --lock --with-all-dependencies but got the same error as before

It would be useful to have a way to update just the lock file to use a new repository for installing packages without changing dependency versions. Perhaps a composer refresh command or something similar?

guoard avatar Jan 23 '22 08:01 guoard

Well, the error message saying that league/commonmark 2.2.0 is not found in your proxy repository (while other versions are in there). so there is no way to make the lock file use the mirror URLs without changing versions of the package.

stof avatar Jan 28 '22 09:01 stof

league/commonmark 2.2.0 is not found in your proxy repository (while other versions are in there)

thanks @stof I think it's impossible because if the package is not found in the proxy repository it just asks (https://packagist.org/) and the error says likely because it conflicts with another require.

guoard avatar Jan 28 '22 12:01 guoard

@guoard no it does not ask packagist. Your proxy repository is a canonical repository (repositories are canonical by default), so any package name found in it will never be asked to packagist.org. Thus, you even disabled packagist.org entirely.

If you mean that your repository asks packagist.org server-side, then check that server-side logic. and in the meantime, run composer show -a league/commonmark to see the list of available versions of league/commonmark in your repository.

stof avatar Jan 28 '22 14:01 stof

so any package name found in it will never be asked to packagist.org

I am using nexus-repository-composer, it has settings for maximum metadata age, if the metadata is expired it will ask packagis.org for new informations

run composer show -a league/commonmark to see the list of available versions of league/commonmark in your repository.

$ composer show -a league/commonmark
Warning: Accessing localhost over http which is an insecure protocol.
name     : league/commonmark
descrip. : Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
keywords : parser, markdown, github, md, gfm, commonmark, flavored, github-flavored
versions : 2.3.x-dev, 2.2.x-dev, 2.2.1, 2.2.0, 2.1.x-dev, * 2.1.1, 2.1.0, 2.0.x-dev, 2.0.2, 2.0.1, 2.0.0, 2.0.0-rc2, 2.0.0-rc1, 2.0.0-beta3, 2.0.0-beta2, 2.0.0-beta1, 1.6.x-dev, 1.6.7, 1.6.6, 1.6.5, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0, 1.5.x-dev, 1.5.8, 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3, 1.5.2, 1.5.1, 1.5.0, 1.4.x-dev, 1.4.3, 1.4.2, 1.4.1, 1.4.0, 1.3.x-dev, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0, 1.2.x-dev, 1.2.2, 1.2.1, 1.2.0, 1.1.x-dev, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.x-dev, 1.0.0, 1.0.0-rc1, 1.0.0-beta4, 1.0.0-beta3, 1.0.0-beta2, 1.0.0-beta1, 0.19.x-dev, 0.19.3, 0.19.2, 0.19.1, 0.19.0, 0.18.5, 0.18.4, 0.18.3, 0.18.2, 0.18.1, 0.18.0, 0.17.5, 0.17.4, 0.17.3, 0.17.2, 0.17.1, 0.17.0, 0.16.0, 0.15.7, 0.15.6, 0.15.5, 0.15.4, 0.15.3, 0.15.2, 0.15.1, 0.15.0, 0.14.0, 0.13.4, 0.13.3, 0.13.2, 0.13.1, 0.13.0, 0.12.0, 0.11.3, 0.11.2, 0.11.1, 0.11.0, 0.10.0, 0.9.0, 0.8.0, 0.7.2, 0.7.1, 0.7.0, 0.6.1, 0.6.0, 0.5.1, 0.5.0, 0.4.0, 0.3.0, 0.2.1, 0.2.0, 0.1.2, 0.1.1, 0.1.0, dev-2.2-development, dev-decorate-table-output, dev-dependabot/github_actions/github/super-linter-4.8.6, dev-dependabot/github_actions/github/super-linter-4.8.7, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.101, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.94, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.96, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.98, dev-dependabot/github_actions/ridedott/merge-me-action-2.9.99, dev-main
type     : library
license  : BSD 3-Clause "New" or "Revised" License (BSD-3-Clause) (OSI approved) https://spdx.org/licenses/BSD-3-Clause.html#licenseText
homepage : https://commonmark.thephpleague.com
source   : []  
dist     : [zip] http://localhost:8081/repository/composer-proxy/league/commonmark/2.1.1/league-commonmark-2.1.1.zip 17d2b9cb5161a2ea1a8dd30e6991d668e503fb9d
path     : /home/example-app/vendor/league/commonmark
names    : league/commonmark

autoload
psr-4
League\CommonMark\ => src

requires
php ^7.4 || ^8.0
ext-mbstring *
league/config ^1.1.1
psr/event-dispatcher ^1.0
symfony/polyfill-php80 ^1.15

requires (dev)
ext-json *
cebe/markdown ^1.0
commonmark/cmark 0.30.0
commonmark/commonmark.js 0.30.0
composer/package-versions-deprecated ^1.8
erusev/parsedown ^1.0
github/gfm 0.29.0
michelf/php-markdown ^1.4
phpstan/phpstan ^0.12.88 || ^1.0.0
phpunit/phpunit ^9.5.5
scrutinizer/ocular ^1.8.1
symfony/finder ^5.3
symfony/yaml ^2.3 | ^3.0 | ^4.0 | ^5.0 | ^6.0
unleashedtech/php-coding-standard ^3.1
vimeo/psalm ^4.7.3

suggests
symfony/yaml v2.3+ required if using the Front Matter extension

guoard avatar Jan 29 '22 06:01 guoard

This issue has been automatically marked Stale and will be closed in 15 days if no further activity happens.

github-actions[bot] avatar Jul 29 '22 02:07 github-actions[bot]