drupal-project icon indicating copy to clipboard operation
drupal-project copied to clipboard

Published 20 hours ago verified publisher icon drupal-composer

Update `composer.json` in order to whitelist development versions instead to set "minimum-stability"

Open phansys opened this issue 6 years ago • 2 comments

Update composer.json in order to whitelist (with stability flags) development versions instead to set "minimum-stability".

The problem with the current setup (using "dev" as "minimum-stability"):

  • my-project requires package-A:^2.0, which has a stable release;
  • users perform composer update
  • package-A is resolved to their last available 2 major (stable) version, let's say 2.7.4;
  • package-A requires package-B:^1.0, which has a stable release;
  • package-B is resolved to their last available 1 major (stable) version, let's say 1.0.0;

Until here, everything should be fine, since my-project knows that all the installed packages are stable. Let's see the following:

  • in the PATCH version 2.7.5 the package-A decides to change their requirement from package-B:^1.0 to package-B:2.0-dev, which is not a stable release;
  • users perform composer update
  • package-A is resolved to their last available 2 major (stable) version (2.7.5);
  • package-B is resolved to their last available 2 major (unstable) version (2.0-dev);

At this point, the users which own the responsibility under my-project were installed silently an unstable version of a package which can potentially break some existing feature or behavior in their project. With the proposed changes, if the users want to use the 2.7.5 version from package-A, they will be restricted to install the unstable version from package package-B, at least if they decide under their own risk and responsibility to trust on that package, whitelisting it until a stable release will be available from what is required from package-A.

phansys avatar Jul 26 '19 21:07 phansys

For those who felt confused about the motivation for these changes, I've added a more detailed example trying to explain how composer works and what my concerns are.

Thank you in advance for your feedback.

phansys avatar Aug 15 '19 14:08 phansys

IMHO, #512 is a good example of what happen when a package trust on an unstable dependency, and it gets even worse when that dependency is allowed blindly, like in this case.

phansys avatar Sep 06 '19 10:09 phansys