composer icon indicating copy to clipboard operation
composer copied to clipboard

Published 20 hours ago verified publisher icon composer

Regression in PSR compliance detection

Open alex-dev opened this issue 11 months ago • 5 comments

Since composer 2.7.7, My composer.json:

{
  "type": "project",
  "license": "proprietary",
  "minimum-stability": "stable",
  "prefer-stable": true,
  "require": {
    "twilio/sdk": "^5.42"
  }
}

When I run this command: composer dump-autoload -o --strict-psr -vvv

I get the following output:

Running 2.7.9 (2024-09-04 14:43:28) with PHP 8.1.29 on Linux / 6.9.3-76060903-generic
Reading ./composer.json (/home/alex/Projects/dsfsa/composer.json)
Loading config file ./composer.json (/home/alex/Projects/dsfsa/composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/home/alex/Projects/dsfsa): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Failed to initialize global composer: Composer could not find the config file: /home/alex/.config/composer/composer.json

Reading ./composer.lock (/home/alex/Projects/dsfsa/composer.lock)
Reading /home/alex/Projects/dsfsa/vendor/composer/installed.json
Generating optimized autoload files
Generated optimized autoload files containing 1694 classes

And I expected this to happen: Composer should detect Twilio\TwilML\Voice\Echo_ as invalid PSR-4 class.

alex-dev avatar Dec 12 '24 19:12 alex-dev

I don't see any Twilio\TwilML\Echo_ class in the twilio SDK. I only see Twilio\TwilML\Voice\Echo_, and it respects PSR-4.

stof avatar Dec 13 '24 08:12 stof

You are right. The class is Twilio\TwilML\Voice\Echo_. I corrected the OP. You did not check version 5.42. Twilio fixed that issue in 6.*.

alex-dev avatar Dec 13 '24 12:12 alex-dev

I've done a quick bisect and found that the change in behaviour was introduced in dc857b4f9148def53cb5c182dbb965aaac76d947. More specifically, commenting out this line (which is added in that commit) seems to get the warnings to show again.

https://github.com/composer/composer/blob/dc857b4f9148def53cb5c182dbb965aaac76d947/src/Composer/Autoload/AutoloadGenerator.php#L379-L380

From what I can tell, this change in Composer is intentional. Composer seems to be alerting the developer that there are issues in the current project's autoload configuration and is ignoring issues from other projects (ie, those in vendor/). If I run the same dump-autoload command from within the vendor/twilio/sdk directory (after running composer install there), the warning shows as expected.

It might be that you'd like an option to also show warnings about third-party problems so that you can report these to the appropriate vendor and hope to get them fixed.

fredden avatar Jan 06 '25 15:01 fredden

Combining --strict-psr to --classmap-authoritative allow us to validate the class map will work as expected. An option could be good. Or a documentation pass explaining this flag only check owned code and not dependencies.

alex-dev avatar Jan 08 '25 16:01 alex-dev

It shouldn't be your problem to fix really if there's a problem in a dependency, and often these warnings are not actual problems in reality so it makes no sense to show them IMO.. So yes we can adjust the docs but I don't think we should do more.

Seldaek avatar Jan 09 '25 14:01 Seldaek

Fixed by https://github.com/composer/composer/pull/12520

Seldaek avatar Sep 03 '25 07:09 Seldaek