dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Drop support for PHP Composer v1

Open jeffwidman opened this issue 3 years ago • 11 comments

Today we support both Composer v1 and v2.

However, Composer v1 is deprecated as of Feb 25, 2021.

At some point we'll stop supporting it here in dependabot-core as well. It's not urgent, as it's currently working fine and generally not a huge amount of overhead to maintain. But over time we plan to make bits of dependabot-core more modular by ecosystem, and doing that will be easier if we only have one version of composer to support.

So this is a placeholder ticket to track any discussions around timing, things that we'll need to update/remove, etc.

If you're a user of Dependabot who is still on Composer v1 and you cannot upgrade to Composer v2 for some reason, please chime in here explaining your use case.

jeffwidman avatar Dec 09 '22 22:12 jeffwidman

@stof @Seldaek IIUC you two have back-end access to Packagist... do you have any metrics on current Composer v1 vs v2 usage rates? It'd be very helpful to see https://packagist.org/php-statistics but for composer versions as we gauge the timing of when to drop support for composer v1.

jeffwidman avatar Dec 09 '22 22:12 jeffwidman

@jeffwidman we are currently at 77% of installs (can be passive/ci/..) and 86% of updates (more active) done with composer v2, so v1 is well on its way out.

Seldaek avatar Dec 12 '22 09:12 Seldaek

@jeffwidman by curiosity, do you have any stats about the ratio of dependabot updates being done using v1 vs v2 (for the GitHub-managed dependabot service) ?

stof avatar Dec 12 '22 10:12 stof

Sorry for the delay here @Seldaek @stof, we didn't have this instrumented until a few weeks ago:

  • #7323

The most useful way of measuring this is by looking at the percentage of job configs that result in composer 1 vs 2. Looking at total job percentages isn't as useful because some jobs are configured to run daily, vs other monthly, so some could have 30x the impact.

As of this morning, 92.2% of job configs result in composer 2, so only 7.8% result in composer 1.

This is lower than I expected, so I suspect that we'll drop composer 1 in the not too distant future:

  • #7643

jeffwidman avatar Jul 31 '23 16:07 jeffwidman

tagging @jonjanego as fyi

abdulapopoola avatar May 16 '24 05:05 abdulapopoola

Support for composer v1 in packagist.org has an official end date. https://blog.packagist.com/shutting-down-packagist-org-support-for-composer-1-x/

stefangr avatar Sep 09 '24 06:09 stefangr

Support for composer v1 in packagist.org has an official end date. https://blog.packagist.com/shutting-down-packagist-org-support-for-composer-1-x/

Thanks @stefangr ! Yes, we should be looking at deprecating this soon too from our end.

abdulapopoola avatar Sep 10 '24 15:09 abdulapopoola

Hi @Seldaek - do you have any concerns about us dropping support for Composer v1 on the Dependabot side? Dependabot updates for Composer v1 is in low single-digits on the GitHub side, and ceasing support would help us simplify our code base and reduce support issues. I see that this conversation began nearly two years ago, but it looks like it is probably finally time to put it to bed.

Thanks, please lmk if you have any concerns, and if not, we'll make a deprecation plan.

jonjanego avatar Sep 10 '24 19:09 jonjanego

We're ready as well, and IMO it's really about time people moved on. So no big concerns for my part, but it is a business decision you have to make on your end.

Seldaek avatar Sep 11 '24 07:09 Seldaek

We're ready as well, and IMO it's really about time people moved on. So no big concerns for my part, but it is a business decision you have to make on your end.

Thanks for the validation!

jonjanego avatar Sep 11 '24 14:09 jonjanego

Hello watchers -- we are planning to drop support for composer v1 in early November. Here's a discussion i posted with more details.

jonjanego avatar Oct 09 '24 15:10 jonjanego