This only removes the credentials if they are managed by composer auth.json or equivalent, if the credentials were present in the package URL to begin with they might remain
Refs #8293Fixes#3644Closes#3608
Particularly the test
tests/Composer/Test/Fixtures/installer/partial-update-downgrades-non-whitelisted-unstable.test
is interesting because it verifies that an older version will be
installed on update if the new one is only present in the installed repo
or vendor dir. This was the cause of a lot of weird edge cases and
unreliable update behavior in Composer v1
As a result some lock file packages are no longer in the pool, so the
former installed map, now present map cannot use package ids anymore
Need to revisit some more code later to simplify this, todo notes left
Ensures packages get loaded from locked repo correctly. We may not want
to support this particular use-case at all, but for now it fixes the
existing test, so we may want to revisit this later.
New approach is to use only the solved set of packages as input and then
to resolve with only the non-dev requirements and to mark everything as
dev that is not part of the result set, rather than transitioning a
temporary local repo state by uninstalling dev packages.
* github-composer/2.0: (48 commits)
Fix missing use/undefined var
Split up steps on VCS downloaders to allow doing network operations before touching the filesystem on GitDownloader, fixes#7903
Fix use statement
Deduplicate findHeaderValue code
Add install-path to the installed.json for every package, fixes#2174, closes#2424
Remove unnecessary config from phpstan
Make sure the directory exists and will not block installation later when downloading
Avoid wiping the whole target package if download of the new one fails, refs #7929
Only empty dir before actually installing packages, fixes#7929
Improve output when installing packages
Show best possible version in diagnose command
Remove extra arg
Allow path repos to point to their own source dir as install target, resulting in noop, fixes#8254
Fix use of decodeJson
Fix update mirrors to also update transport-options, fixes#7672
Fix updating or URLs to include dist type and shasum, fixes#8216
Fix origin computation
Improve handling of non-standard ports for GitLab and GitHub installs, fixes#8173
Load packages from the lock file for check-platform-reqs if no dependencies have been installed yet, fixes#8058
Fix error_handler return type declaration
...
* 2.0: (101 commits)
SVN: hide passwords for debug output
Free $solver asap
fixes#8179
[minor] Fixed a typo in the CHANGELOG.md.
Update deps
Update changelog
Revert "Allow overriding self-update target file with envvar COMPOSER_SELF_UPDATE_TARGET" Revert "Add docs for COMPOSER_SELF_UPDATE_TARGET, refs #8151"
Add docs for COMPOSER_SELF_UPDATE_TARGET, refs #8151
Fix display of HHVM warning appearing when HHVM is not in use, fixes#8138
Read classmap-authoritative and apcu-autoloader from project config when installing via create-project, fixes#8155
Use possessive quantifiers
Update xdebug-handler to 1.3.3
fixes#8159
Allow overriding self-update target file with envvar COMPOSER_SELF_UPDATE_TARGET
flag should come before script name
use full command name, not abbreviated/alias
modify text
Document the alternatives to disable the default script timeout
Anchor pattern
Fix URL resolution for Composer repositories
...
* master: (48 commits)
SVN: hide passwords for debug output
Free $solver asap
fixes#8179
[minor] Fixed a typo in the CHANGELOG.md.
Update deps
Update changelog
Revert "Allow overriding self-update target file with envvar COMPOSER_SELF_UPDATE_TARGET" Revert "Add docs for COMPOSER_SELF_UPDATE_TARGET, refs #8151"
Add docs for COMPOSER_SELF_UPDATE_TARGET, refs #8151
Fix display of HHVM warning appearing when HHVM is not in use, fixes#8138
Read classmap-authoritative and apcu-autoloader from project config when installing via create-project, fixes#8155
Use possessive quantifiers
Update xdebug-handler to 1.3.3
fixes#8159
Allow overriding self-update target file with envvar COMPOSER_SELF_UPDATE_TARGET
flag should come before script name
use full command name, not abbreviated/alias
modify text
Document the alternatives to disable the default script timeout
Anchor pattern
Fix URL resolution for Composer repositories
...
Composer was unable canonicalize URLs in non-HTTP(S) Composer
repositories. For example it was not possible to use a `providers-url`
in a repository loaded via the `file://` scheme.
See also: #8115
- Introduce separate Lock and LocalRepo transactions, one for changes
to the lock file, one for changes to locally installed packages based
on lock file
- Remove various hacks to keep dev dependencies updated and
incorporated the functionality into the transaction classes
- Remove installed repo, there are now local repo, locked repo and
platform repo
- Remove access to local repo from solver, only supply locked packages
- Update can now be run to modify the lock file but not install packages
to local repo
* master:
Follow up to #7946 test: add solver flag to assert path execution
Fix tests
Make sure config command output is also output on --quiet so that warnings can be hidden, fixes#7963
Recognize composer-plugin-api as a platform package, fixes#7951
Quote wildcards to avoid issues in some shells, fixes#7960
Avoid dumping null values for dist reference/shasum and source reference, fixes#7955
Soften hard exit after revert of composer file
Make unixy proxy code POSIX compatible
Update aliases.md
Same but for Problem.php
Better error message for present but incompatible versions
Fix inconsistent casing
Don't do (new Foo())->bar() - not 5.3-compatible
Support identifying the HHVM version when not running with HHVM
* master:
Fix solver problem exceptions with unexpected contradictory "Conclusions"
Also load config into IO if not freshly created
Only load configuration into IO if IO is available
Fix defaultRepos fallback does not use auth config
Add warning/info msg when tweaking disable-tls setting to avoid confusion, fixes#7935
* 1.8:
Fix solver problem exceptions with unexpected contradictory "Conclusions"
Also load config into IO if not freshly created
Only load configuration into IO if IO is available
Fix defaultRepos fallback does not use auth config
This 5 character fix comes with a solver test as well as a functional
installer test essentially verifying the same thing. The solver test is
more useful when working on the solver. But the functional test is less
likely to be accidentally modified incorrectly during refactoring, as
every single package, version and link in the rather complex test
scenario is essential, and a modified version of the test may very well
still result in a successful installation but no longer verify the bug
described below.
Background:
In commit 451bab1c2c from May 19, 2012 I
refactored literals from complex objects into pure integers to reduce
memory consumption. The absolute value of an integer literal is the id
of the package it refers to in the package pool. The sign indicates
whether the package should be installed (positive) or removed (negative),
So a major part of the refactoring was swapping this call:
$literal->getPackageId()
For this:
abs($literal)
Unintentionally in line 554/523 I incorrectly applied this change to the
line:
$this->literalFromId(-$literal->getPackageId());
It was converted to:
-abs($literal);
The function literalFromId used to create a new literal object. By using
the abs() function this change essentially forces the resulting literal
to be negative, while the minus sign previously inverted the literal, so
positive into negative and vice versa.
This particular line is in a function meant to analyze a conflicting
decision during dependency resolution and to draw a conclusion from it,
then revert the state of the solver to an earlier position, and attempt
to solve the rest of the rules again with this new "learned" conclusion.
Because of this bug these conclusions could only ever occur in the
negative, e.g. "don't install package X". This is by far the most likely
scenario when the solver reaches this particular line, but there are
exceptions.
If you experienced a solver problem description that contained a
statement like "Conclusion: don't install vendor/package 1.2.3" which
directly contradicted other statements listed as part of the problem,
this could likely have been the cause.
hhvm-nightly (and the next release) are no longer able to execute
Composer. Support executing Composer with PHP to install dependencies
for hack projects.
The goal is for this to be temporary, until Hack identifies a new
package manager, given that Composer does not aim to be a multi-language
package manager.
fixes#7734
The update command can receive a pattern like `vendor/prefix-*`
to update all matching packages.
This has not worked if multiple packages, depending on each other,
where matched to the given pattern. No package has been updated
in this case as only the first package matching the pattern was
added to the whitelist.