[Bug] Renovate does not update composer deps in monorepo

[florianbepunkt]

How are you running Renovate?

• [x] WhiteSource Renovate hosted app on github.com
• [ ] Self hosted

If using the hosted app, please skip to the next section. Otherwise, if self-hosted, please complete the following:

Please select which platform you are using:

• [ ] Azure DevOps (dev.azure.com)
• [ ] Azure DevOps Server
• [ ] Bitbucket Cloud (bitbucket.org)
• [ ] Bitbucket Server
• [ ] Gitea
• [x] github.com
• [ ] GitHub Enterprise Server
• [ ] gitlab.com
• [ ] GitLab self-hosted

Renovate version: I don't see the version in commits/prs raised by renovate bot

Describe the bug I have a monorepo containing a wordpress bedrock installation. Bedrock uses composer for handling wordpress core and plugin updates.

I have a package.json with some JS tooling at the root level as well as some package.jsons in plugins and my theme.

Renovate does update all the JS stuff, but it does not touch my composer.json

I beliebe this is due to the way I have to install advanced-custom-fields-pro(a paid plugin). At least when I look at the logs (see section below) it stops at this plugin with a 404. The strange part is, it look like renovate is using packagist.org as a repo, but according to my composer json, this should not be the case.

Relevant parts of my composer.json

{
  "name": "websites",
  "type": "project",
  "description": "....",
  "repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org",
      "only": [
        "wpackagist-plugin/*",
        "wpackagist-theme/*"
      ]
    },
    {
      "type": "composer",
      "url": "https://wp-languages.github.io"
    },
    {
      "type": "package",
      "package": {
        "name": "advanced-custom-fields/advanced-custom-fields-pro",
        "version": "5.9.5",
        "type": "wordpress-plugin",
        "dist": {
          "type": "zip",
          "url": "https://connect.advancedcustomfields.com/index.php?a=download&p=pro&k=LICENSE_KEY=&t={%version}"
        },
        "require": {
          "ffraenz/private-composer-installer": "^5.0"
        }
      }
    }
  ],
  "require": {
    "roots/wordpress": "5.7.2",
    "advanced-custom-fields/advanced-custom-fields-pro": "^5.9.0",
    "wpackagist-plugin/regenerate-thumbnails": "3.1.5"
  },
}

...

Relevant debug logs

Click me to see logs

INFO: Dependency extraction complete
{
  "baseBranch": "main",
  "stats": {
    "managers": {
      "composer": {
        "fileCount": 4,
        "depCount": 39
      },
      "docker-compose": {
        "fileCount": 1,
        "depCount": 4
      },
      "github-actions": {
        "fileCount": 6,
        "depCount": 43
      },
      "npm": {
        "fileCount": 4,
        "depCount": 87
      }
    },
    "total": {
      "fileCount": 15,
      "depCount": 173
    }
  }
}
DEBUG: getLabels(https://index.docker.io, library/mysql, latest)
DEBUG: Found deprecationMessage (babel-eslint)(dependency="babel-eslint")
DEBUG: Found deprecationMessage (eslint-loader)(dependency="eslint-loader")
DEBUG: Datasource 404
{
  "datasource": "packagist",
  "lookupName": "advanced-custom-fields/advanced-custom-fields-pro",
  "url": "https://packagist.org/p/advanced-custom-fields/advanced-custom-fields-pro.json"
}
DEBUG: Failed to look up dependency advanced-custom-fields/advanced-custom-fields-pro (advanced-custom-fields/advanced-custom-fields-pro)(packageFile="src/composer.json", dependency="advanced-custom-fields/advanced-custom-fields-pro")

Have you created a minimal reproduction repository?

Please read the minimal reproductions documentation to learn how to make a good minimal reproduction repository.

• [x] I have provided a minimal reproduction repository
• [ ] I don't have time for that, but it happens in a public repository I have linked to
• [ ] I don't have time for that, and cannot share my private repository
• [X] The nature of this bug means it's impossible to reproduce publicly

Additional context

...

[github-actions[bot]]

Hi there,

Help us by making a minimal reproduction repository.

Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction to understand what is needed.

We may close the issue if you (or someone else) have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team

[florianbepunkt]

@rarkins It is not possible to create a production repo, as this would mean publicly disclosing the license key.

[rarkins]

It sounds like the license key does not need to be valid in order to reproduce the problem

[florianbepunkt]

https://github.com/florianbepunkt/renovate-10855-repro

[github-actions[bot]]

Thank you for providing a reproduction! :tada: :rocket:

The Renovate team will take a look at the reproduction repository.

[rimas-kudelis]

Is anyone working on this or maybe there is a workaround? We have two entries under repositories in composer.json, which correspond to two paid/private packages we are using. I've added hostRules with auth details in renovate.json, and even though Renovate appears to see both the repository entries and the auth info, it never queries these repositories for anything, and only logs a failed attempt to get the two relevant JSON files from packagist.org. Subsequently, no pull requests are created in the affected repo.

[szeidler]

I can confirm the problem. I have the following Composer repository definition:

    "repositories": [
        {
            "type": "composer",
            "url": "https://repo.packagist.com/[REDACTED]/"
        },
        {
            "packagist.org": false
        }
    ],

Instead of loading the packages.json from the specified composer repository it tries to do it from packagist.org.