Just pushed a package to packagist:
composer require rokfor/rokfor-slim:dev-master
It's returning the error
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Installation request for rokfor/rokfor-slim
dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
- rokfor/rokfor-slim dev-master requires
jlndk/slim-jade ^1.0 -> no matching package found.
If I'm checking out like
$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install
Everything installs just fine.
I think I'm missing something crucial here. Is it not allowed to push a package to packagist with a source from a vcs repository?
The composer.json looks like:
{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
{
"name": "Rokfor",
"homepage": "http://www.rokfor.ch"
}
],
"repositories": [
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-jade"
},
{
"type": "vcs",
"url": "https://github.com/Rokfor/rokfor-php-db"
},
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-auth"
}
],
"require": {
"php": ">=5.5.0",
"slim/slim": "~3.0",
"jlndk/slim-jade": "^1.0",
"rokfor/db": "dev-versioning",
"monolog/monolog": "^1.17",
"slim/csrf": "^0.6.0",
"jeremykendall/slim-auth": "dev-slim-3.x",
"slim/flash": "^0.1.0",
"akrabat/rka-ip-address-middleware": "^0.4.0",
"palanik/corsslim": "dev-slim3",
"erusev/parsedown": "^1.6",
"predis/predis": "^1.0",
"lcobucci/jwt": "^3.1",
"ext-gd": "*"
},
"require-dev": {
"phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}
In a library, you cannot reference anything other than libraries that are available on packagist.org. Or you instruct your users to reference an additional source for package information.
Adding vcs and package repositories is only allowed for the root composer.json, which you cannot influence as a library other than instructing your users to do additional things beyond composer require your/lib. Which is kind of annoying, and also may be subject to security considerations, because this will not only open the door for your individual library, but for ANY library as well.
And as you did with "jlndk/slim-jade" (which the original author published from his repository as 0.0.1, and another author re-published it without adding it to packagist or changing the lib's name, adding the version tag 1.0), any additional source of package information can potentially add more package information, i.e. add a newer, malicious version of e.g. a symfony package.
Related
I'm making a laravel composer package
The composer.json of the package looks like this
{
"name": "mycomp/livesearch",
"description": "Livewire livesearch package",
"type": "library",
"require": {
"livewire/livewire": "dev-master"
},
"license": "MIT",
"autoload": {
"psr-4": {
"mycomp\\Livesearch\\": "src/"
}
},
"authors": [
{
"name": "parallax",
"email": "parallax4#gmail.com"
}
],
"minimum-stability": "dev",
"prefer-stable": true
}
I've added it locally by adding this to my root composer.json
"repositories": [
{
"type": "path",
"url": "packages/mycomp/*"
}
]
But when I try to install the package using composer require mycomp/livesearch I get:
Could not find a version of package mycomp/livesearch matching your minimum-stability (stable). Require it with an explicit version constraint allowing its desired stability.
Fixed it.
Just had to add
"version": "1.0.0"
To my package's composer.json
Although, from what I've learnt this is a bad idea, and it's best to do version control with a VCS like Git. But for now, before I release the package and put it on github, this would suffice.
I am trying to install the asana library through the composer.
Json:
"asana/asana": "^0.10.0" added to composer.json and {
"name": "asana/asana",
"description": "A PHP client for the Asana API",
"type": "library",
"keywords": ["asana", "client"],
"homepage": "https://github.com/Asana/php-asana",
"license": "MIT",
"require": {
"php": ">=5.4.0",
"nategood/httpful": "~0.2",
"adoy/oauth2": "^1.2.0"
},
"require-dev": {
"instaclick/php-code-sniffer": "dev-master",
"phpunit/phpunit": "^9"
},
"autoload": {
"psr-0": {
"Asana\\": "src/"
}
}
}
to composer.lock but getting error 'Package Asana/asana has no version defined.
'
As suggested by #Jeto you should not edit composer.lock manually. To install the library, you can follow the steps mentioned in official docs here.
Assuming that you are doing a fresh install, follow steps below:
Put "asana/asana" package as a dependency in your composer.json file:
{
"require": {
"asana/asana": "^0.10.0"
}
}
Now run the command composer install
composer.lock file will be automatically updated by Composer when installation succeed.
EDIT:
OR
As mentioned by #Jeto in comments, You can simply do this using a single command: composer require asana/asana:^0.10.0
I created a package and here is it's composer.json:
{
"name": "faustuzas/theme-downloader",
"description": "Easy to use bootstrap theme downloader",
"type": "command",
"require": {
"php": ">=5.6.0",
"guzzlehttp/guzzle": "^6.3"
},
"license": "MIT",
"authors": [
{
"name": "Faustas Butkus",
"email": "faustas.butkus#gmail.com"
}
],
"minimum-stability": "stable"
}
but when I try to require it via composer:
composer require faustuzas/theme-downloader
I get this error:
Where is the problem?
There's no need to use "minimum-stability": "stable" because it's set to 'stable' by default. You have one branch and no tags so packagist show your package as dev-master which isn't stable. Try to create new branch e.g. 1.x and add tag e.g. 1.0.0 then composer require again.
Here is my composer.json:
{
"name": "zendframework/skeleton-application",
"description": "Skeleton Application for ZF2",
"license": "BSD-3-Clause",
"keywords": [
"framework",
"zf2"
],
"homepage": "http://framework.zend.com/",
"require": {
"php": ">=5.5",
"zendframework/zendframework": "~2.5",
"facebook/php-sdk-v4" : "~5.0",
"kbariotis/feedly-api": "dev-master"
}
}
I want to run composer update but I don't want to update ZF2, just other dependencies.
If you want only a specific version to be installed see the documentation for exact If you specify the exact version you require it cannot attempt to upgrade your version of the package which "~2.5" suggests to composer is what you want to happen
So you could use for example
"require": {
"php": ">=5.5",
"zendframework/zendframework": "2.5.3",
"facebook/php-sdk-v4" : "~5.0",
"kbariotis/feedly-api": "dev-master"
}
See the documentation for EXACT
With this you can run composer update and it should not attempt to upgrade the ZF Framework
You need to run
composer update facebook/php-sdk-v4 kbariotis/feedly-api
instead.
I've inherited a project that was built with PHP 5.3.x, Symfony2, and Composer for dependency management.
The composer.json file has lots of lines like this: "vendorname/library" : "dev-master" for the version of the libraries in use. It was last edited in August of 2012, and clearly worked then since the composer.lock file exists and the project is running on a server at our host.
Thankfully with 1 small tweak to composer.lock, I got composer install to work, but what I'm trying to do now is fix some failures I'm getting when running composer update. There are plenty of posts online about composer dependency hell - and I'm in a leaky boat on the river styx headed there pulling my hair out.
In short, a couple years back when composer.lock was created, the project worked with the then-current versions of "dev" of dozens of included vendor libraries, but now that I am trying to clean up the mess, I'd like to put proper versions into composer.json and try to update things from a known state.
How do I discover what versions actually get installed by composer install? Or what keys/values in the composer.lock file tell you this?
I have plenty of github commit hashes in the composer.lock file but it's not clear given an arbitrary commit hash what the closest tagged version would be to replace that respective line in composer.json with.
Here's an example line from composer.json:
"doctrine/doctrine-bundle" : "dev-master",
and here is the corresponding node in composer.lock for that module:
{
"name": "doctrine/doctrine-bundle",
"version": "dev-master",
"target-dir": "Doctrine/Bundle/DoctrineBundle",
"source": {
"type": "git",
"url": "http://github.com/doctrine/DoctrineBundle.git",
"reference": "d3c930599723c8343472a5791b0f5909a4111a73"
},
"dist": {
"type": "zip",
"url": "https://github.com/doctrine/DoctrineBundle/zipball/d3c930599723c8343472a5791b0f5909a4111a73",
"reference": "d3c930599723c8343472a5791b0f5909a4111a73",
"shasum": ""
},
"require": {
"doctrine/dbal": ">=2.2,<2.4-dev",
"php": ">=5.3.2",
"symfony/doctrine-bridge": "2.1.*",
"symfony/framework-bundle": "2.1.*"
},
"require-dev": {
"doctrine/orm": ">=2.2,<2.4-dev",
"symfony/validator": "2.1.*",
"symfony/yaml": "2.1.*"
},
"suggest": {
"doctrine/orm": "The Doctrine ORM integration is optional in the bundle."
},
"type": "symfony-bundle",
"extra": {
"branch-alias": {
"dev-master": "1.0.x-dev"
}
},
"autoload": {
"psr-0": {
"Doctrine\\Bundle\\DoctrineBundle": ""
}
},
"license": [
"MIT"
],
"authors": [
{
"name": "Fabien Potencier",
"email": "fabien#symfony.com"
},
{
"name": "Benjamin Eberlei",
"email": "kontakt#beberlei.de"
},
{
"name": "Symfony Community",
"homepage": "http://symfony.com/contributors"
}
],
"description": "Symfony DoctrineBundle",
"homepage": "http://www.doctrine-project.org",
"keywords": [
"DBAL",
"Database",
"ORM",
"Persistence"
],
"support": {
"source": "https://github.com/doctrine/DoctrineBundle/tree/master",
"issues": "https://github.com/doctrine/DoctrineBundle/issues"
},
"time": "2012-09-10 15:12:44"
}
I am guessing that composer installs the dist->url or source->url from composer.lock, but I have several dozen modules to go through and wondering how to find the closest (by date) tag for each referenced library to create a sane composer.json file to move forward with updating our code.
First you need to find out which packages are dependent on a dev-master version.
composer show -i
This will list all your packages along with the version installed. Something like this:
symfony/http-foundation dev-master 1234abc
symfony/http-kernel v2.5.7
You will see some of the packages are listed as having the version dev-master <commit>. Take note of the names of these packages.
Now you can make it a bit easier on yourself by installing the source code for the packages in your vendor directory.
composer install --prefer-source
Now for each package you noted above, cd into the package directory and find the latest tag.
cd vendor/symfony/http-foundation
git describe # Shows the latest tag
Now you can use that tag to determine which version you want to install. For example if git describe returned v2.2.3, you could change the version number in your composer.json to 2.2.*.
"symfony/http-foundation": "2.2.*"
This part could be tricky if the latest tag is "far away" from the installed commit. If you run into too many problems, you can always install an exact commit hash by putting dev-master#<commit> into your version requirement.
"symfony/http-foundation": "dev-master#1234abc"
Thanks to other answers I start digging and found that you can have useful informations with:
composer show -t
It will produce a dependency tree, and next to every package there will be version.