I've inherited a project that was built with PHP 5.3.x, Symfony2, and Composer for dependency management.
The composer.json file has lots of lines like this: "vendorname/library" : "dev-master" for the version of the libraries in use. It was last edited in August of 2012, and clearly worked then since the composer.lock file exists and the project is running on a server at our host.
Thankfully with 1 small tweak to composer.lock, I got composer install to work, but what I'm trying to do now is fix some failures I'm getting when running composer update. There are plenty of posts online about composer dependency hell - and I'm in a leaky boat on the river styx headed there pulling my hair out.
In short, a couple years back when composer.lock was created, the project worked with the then-current versions of "dev" of dozens of included vendor libraries, but now that I am trying to clean up the mess, I'd like to put proper versions into composer.json and try to update things from a known state.
How do I discover what versions actually get installed by composer install? Or what keys/values in the composer.lock file tell you this?
I have plenty of github commit hashes in the composer.lock file but it's not clear given an arbitrary commit hash what the closest tagged version would be to replace that respective line in composer.json with.
Here's an example line from composer.json:
"doctrine/doctrine-bundle" : "dev-master",
and here is the corresponding node in composer.lock for that module:
{
"name": "doctrine/doctrine-bundle",
"version": "dev-master",
"target-dir": "Doctrine/Bundle/DoctrineBundle",
"source": {
"type": "git",
"url": "http://github.com/doctrine/DoctrineBundle.git",
"reference": "d3c930599723c8343472a5791b0f5909a4111a73"
},
"dist": {
"type": "zip",
"url": "https://github.com/doctrine/DoctrineBundle/zipball/d3c930599723c8343472a5791b0f5909a4111a73",
"reference": "d3c930599723c8343472a5791b0f5909a4111a73",
"shasum": ""
},
"require": {
"doctrine/dbal": ">=2.2,<2.4-dev",
"php": ">=5.3.2",
"symfony/doctrine-bridge": "2.1.*",
"symfony/framework-bundle": "2.1.*"
},
"require-dev": {
"doctrine/orm": ">=2.2,<2.4-dev",
"symfony/validator": "2.1.*",
"symfony/yaml": "2.1.*"
},
"suggest": {
"doctrine/orm": "The Doctrine ORM integration is optional in the bundle."
},
"type": "symfony-bundle",
"extra": {
"branch-alias": {
"dev-master": "1.0.x-dev"
}
},
"autoload": {
"psr-0": {
"Doctrine\\Bundle\\DoctrineBundle": ""
}
},
"license": [
"MIT"
],
"authors": [
{
"name": "Fabien Potencier",
"email": "fabien#symfony.com"
},
{
"name": "Benjamin Eberlei",
"email": "kontakt#beberlei.de"
},
{
"name": "Symfony Community",
"homepage": "http://symfony.com/contributors"
}
],
"description": "Symfony DoctrineBundle",
"homepage": "http://www.doctrine-project.org",
"keywords": [
"DBAL",
"Database",
"ORM",
"Persistence"
],
"support": {
"source": "https://github.com/doctrine/DoctrineBundle/tree/master",
"issues": "https://github.com/doctrine/DoctrineBundle/issues"
},
"time": "2012-09-10 15:12:44"
}
I am guessing that composer installs the dist->url or source->url from composer.lock, but I have several dozen modules to go through and wondering how to find the closest (by date) tag for each referenced library to create a sane composer.json file to move forward with updating our code.
First you need to find out which packages are dependent on a dev-master version.
composer show -i
This will list all your packages along with the version installed. Something like this:
symfony/http-foundation dev-master 1234abc
symfony/http-kernel v2.5.7
You will see some of the packages are listed as having the version dev-master <commit>. Take note of the names of these packages.
Now you can make it a bit easier on yourself by installing the source code for the packages in your vendor directory.
composer install --prefer-source
Now for each package you noted above, cd into the package directory and find the latest tag.
cd vendor/symfony/http-foundation
git describe # Shows the latest tag
Now you can use that tag to determine which version you want to install. For example if git describe returned v2.2.3, you could change the version number in your composer.json to 2.2.*.
"symfony/http-foundation": "2.2.*"
This part could be tricky if the latest tag is "far away" from the installed commit. If you run into too many problems, you can always install an exact commit hash by putting dev-master#<commit> into your version requirement.
"symfony/http-foundation": "dev-master#1234abc"
Thanks to other answers I start digging and found that you can have useful informations with:
composer show -t
It will produce a dependency tree, and next to every package there will be version.
Related
Just pushed a package to packagist:
composer require rokfor/rokfor-slim:dev-master
It's returning the error
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Installation request for rokfor/rokfor-slim
dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
- rokfor/rokfor-slim dev-master requires
jlndk/slim-jade ^1.0 -> no matching package found.
If I'm checking out like
$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install
Everything installs just fine.
I think I'm missing something crucial here. Is it not allowed to push a package to packagist with a source from a vcs repository?
The composer.json looks like:
{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
{
"name": "Rokfor",
"homepage": "http://www.rokfor.ch"
}
],
"repositories": [
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-jade"
},
{
"type": "vcs",
"url": "https://github.com/Rokfor/rokfor-php-db"
},
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-auth"
}
],
"require": {
"php": ">=5.5.0",
"slim/slim": "~3.0",
"jlndk/slim-jade": "^1.0",
"rokfor/db": "dev-versioning",
"monolog/monolog": "^1.17",
"slim/csrf": "^0.6.0",
"jeremykendall/slim-auth": "dev-slim-3.x",
"slim/flash": "^0.1.0",
"akrabat/rka-ip-address-middleware": "^0.4.0",
"palanik/corsslim": "dev-slim3",
"erusev/parsedown": "^1.6",
"predis/predis": "^1.0",
"lcobucci/jwt": "^3.1",
"ext-gd": "*"
},
"require-dev": {
"phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}
In a library, you cannot reference anything other than libraries that are available on packagist.org. Or you instruct your users to reference an additional source for package information.
Adding vcs and package repositories is only allowed for the root composer.json, which you cannot influence as a library other than instructing your users to do additional things beyond composer require your/lib. Which is kind of annoying, and also may be subject to security considerations, because this will not only open the door for your individual library, but for ANY library as well.
And as you did with "jlndk/slim-jade" (which the original author published from his repository as 0.0.1, and another author re-published it without adding it to packagist or changing the lib's name, adding the version tag 1.0), any additional source of package information can potentially add more package information, i.e. add a newer, malicious version of e.g. a symfony package.
I've developed a custom laravel package and put it on GitHub. I put it in composer.json (code below) and it installs fine.
I have no version info on it yet, since it is still in development. When I make changes to my package (in a separate directory), I commit and push the changes up to the GitHub repo.
When I run 'composer update', I get "nothing to install or update". If I delete the package from my vendors directory and update, then my package IS installed from the GitHub repo, with the latest changes.
But I would like to be able to pull/force the latest changes from the repo without deleting it first from my vendors directory, since I have other dependencies on that package, and if I delete it, I get errors from artisan clear-compiled that classes are not defined (since they are defined in my deleted vendor package...)
The relevant portion of my top-level composer.json is:
"repositories": [{
"type": "package",
"package": {
"name": "myrepo/MyExtension",
"version": "dev-master",
"source": {
"url": "https://github.com/myrepo/MyExtension.git",
"type": "git",
"reference": "master"
},
"autoload": {
"psr-4": {
"MyExtension\\": "src/Extensions/"
}
}
}
],
"require": {
"php": ">=5.5.9",
"laravel/framework": "5.2.*",
"myrepo/MyExtension": "dev-master"
},
You have created all meta data about your package yourself, likely making Composer think that the data didn't change.
The easier, and probably working, way would be to simply point to the repository URL and let Composer query the meta data from the composer.json file contained in the repository:
"repositories": [{
"type": "vcs",
"url": "https://github.com/myrepo/MyExtension.git"
}]
For it to update your changes you need to version your package but as you said earlier you are not versioning your packages so for it to update your changes you can go to composer.lock to remove your package entry or to use composer to remove the package and install it again. eg
// composer remove vendor/package && composer require vendor/package
composer remove zizaco/entrust && composer require zizaco/entrust
Running into an issue with composer. I have a main project that im working on with some some small libraries I built that I want to more easily share between my projects. They are nowhere near release ready, so I do't want to add them to packagist, but when I require 1 that requires another, it will error unless I ad that custom repository as well on my master composer.json
also, the tertiary requirement can not resolve packagist libraries
Your requirements could not be resolved to an installable set of packages.
Problem 1
- ethereal/simpleCache dev-master requires predis/predis ^1.1#dev -> no matching package found.
- ethereal/simpleCache dev-master requires predis/predis ^1.1#dev -> no matching package found.
- Installation request for ethereal/simplecache dev-master -> satisfiable by ethereal/simpleCache[dev-master].
Main Project composer.json:
{
"name": "ethereal/SimpleTable",
"type": "project",
"repositories": [
{
"type": "vcs",
"url": "https://github.com/mathus13/SimpleConfig.git"
}
],
"require": {
"php": ">=5.3.9",
"doctrine/dbal": "^2.6#dev",
"ethereal/SimpleConfig": "dev-master"
},
"require-dev": {
"phpunit/phpunit": "~4.8"
},
"autoload": {
"psr-4": {
"Ethereal\\": "lib"
}
}
}
config library: when running composer update in SimpleTable, Simple Cache will not be included unless explicitly required in SimpleTable.
{
"name": "ethereal/SimpleConfig",
"type": "project",
"version": "0.0.1",
"repositories": [
{
"type": "vcs",
"url": "https://github.com/mathus13/SimpleCache.git"
}
],
"require": {
"php": ">=5.3.9",
"ethereal/SimpleCache": "dev-master"
},
"require-dev": {
"phpunit/phpunit": "~4.8"
},
"autoload": {
"psr-4": {
"Ethereal\\": "lib"
}
}
}
cache library: when running composer update in SimpleTable, predis can not be resolved.
{
"name": "ethereal/simpleCache",
"type": "project",
"version": "0.0.1",
"require": {
"predis/predis": "^1.1#dev",
"php": ">=5.3.9"
},
"require-dev": {
"phpunit/phpunit": "~4.8"
},
"autoload": {
"psr-4": {
"Ethereal\\": "lib"
}
}
}
ethereal/SimpleTable depends on ethereal/SimpleConfig in dev stability, which depends on ethereal/SimpleCache in dev stability, which depends on predis/predis in dev stability (version 1.1 hasn't been released yet).
Packages included into the main package cannot define any stability, the only stability allowed is the one in the main package. And that is "stable" by default.
You made ONE exception from this rule by depending on "dev-master" for SimpleConfig", but this is not inherited.
You have multiple solutions:
Tag your software. Tags declare it more stable than "dev", and it generally is a good idea to only use tagged software in production.
Include ALL your own packages that are needed in the main package, even if they are not directly used. This will add exceptions from the general stability for them, and allow Composer to resolve any sub dependencies.
You can add "minimum-stability":"dev" to the main composer.json, but this will also allow all other packages to be installed from a branch. Using branches however is a very bad thing, because you cannot easily go back to the version that was working before you did the update - the branch pointer moves only forward. Only tags will point to the same software forever.
Adding "prefer-stable":true" is some sort of workaround for the problem that 3 introduces for packages that are already available in a stable release version. However you still have the problem of not being able to go back to your own packages' earlier versions, because you are using a branch.
If you are still developing these packages, depending on branches may seem necessary. However, a good package will be able to be developed and tested standalone, with barely any foreign code present apart from interface definitions (which will be used to mock everything), so putting all code together into a mixture of repos with branches checked out usually is an invitation for writing code that isn't cleanly separated.
If any of these packages is already done (I'd say "good enough"), tag it and depend on that version instead of a branch. You can always release new versions if you find bugs or want to add new features.
I have an extremely simple question - When installing a program via composer (when not part of an existing framework like Laravel), how do I know what to put in the autoload section?
Here's what I've got...
{
"name": "Search",
"description": "Get search results from Solr",
"keywords": [
"search",
"solr"
],
"require": {
"ext-curl": "*",
"solarium/solarium": "3.2.*",
"twig/twig" : "~1.0"
},
"autoload": {}
}
When you use composer you get an PSR-4 autoloader. So when you use install your packages you can include the autoloader.
https://getcomposer.org/doc/01-basic-usage.md
Here is the introduction. There is an autoload section and some good examples.
I'm trying to address this issue now for a long time but still could not figure out what's my mistake.
I've got two repositories I want to combine. The Application and the Framework Core.
// Application
- composer.json
- public/
- CCF/
- core/ <- here the core package should go
- vendor/ <- here it goes instead
Now basically I want to create a composer package that install's into CCF/core/ instead of CCF/vendor/clancats/core/etc..
So I created a custom installer at:
vendor/composer/installers/src/Composer/Installers/ClanCatsFrameworkInstaller.php
class ClanCatsFrameworkInstaller extends BaseInstaller
{
protected $locations = array(
'core' => 'CCF/core/',
'orbit' => 'CCF/orbit/{$name}/',
);
}
The composer.json of the core
{
"name": "clancats/core",
"description": "The ClanCatsFramework Core repository",
"type": "clancatsframework-core",
"license": "MIT",
"require": {
"php": ">=5.3",
"composer/installers": "~1.0"
}
}
composer.json of the application that should implement the core at CCF/core
{
"type": "project",
"require": {
"php": ">=5.3",
"clancats/core": "dev-master"
},
"config": {
"vendor-dir": "CCF/vendor"
},
}
But after all that composer still installs the core package at /vendor/clancats/etc..
So my question is what is my mistake that composer won't install the core package to CCF/core/?
Added composer/installers to the requires.
I created a custom installer which defines the path to the core
Set the type of the core package to my custom one.
Another question that is spinning around my head, is my pattern wrong? I mean did i misunderstand how to use composer?
Github:
framework install repo: https://github.com/ClanCats/Framework
core repo: https://github.com/ClanCats/Core
Thanks for your help guys :)
So for everyone who runs into the same problem:
My mistake was that i didn't require the composer/installers in the main repository.
The composer installers have to be required in both repositories.
So in this case:
{
"type": "project",
"require": {
"php": ">=5.3",
"clancats/core": "dev-master",
"composer/installers": "~1.0"
},
"config": {
"vendor-dir": "CCF/vendor"
},
}
solves the problem.