Locked packages are basically like removable fixed packages, so we still
only load one version, but we do not require their installation unless
something the user needs requires their use. So they automatically get
removed if they are no longer needed on any update.
Instead of marking locked packages as fixed, we change the pool builder
to load only the locked version and treat it like a fixed package, but
removing the actual request fix, makes the solver treat it as a regular
optional dependency. As a consequence locked packages may be removed on
a partial update of another package, but they cannot be updated.
So far the ordering of alias packages with the same name was undefined
so the actual order was determined by implementation of the sorting
algorithm in PHP. As of PHP8 sort is stable by default which changes the
outcome in some of our test cases.
With the fully defined total order the order can longer change depending
on sorting algorithm used and remains the same across PHP versions.
* master:
Add tests for edge cases of packages providing names which exist as real packages
Add another test verifying that a package may provide an incompatible version of sth that actually exists
Fix provider coexistence test, needs another requirement to install both
Fix test filename to end with .test extension so it gets run
Update config section to note required scope for GitLab tokens
Fix pre/post-package-install/update/uninstall events receiving a partial list of operations, fixes#9079
Also remove credentials from cache dirs in git/svn drivers, fixes#7439, refs #9155
AuthHelper: Allow fall-through GitLab-specific HTTP headers for auth
Sanitize repo URLs to mask HTTP auth passwords from cache directory
Util/Zip: fix strpos args order
Previously, `AuthHelper` consumed the authentication credentials for GitLab domains and added access tokens as GitLab-specific headers.
[Composer repositories now supported in GitLab](https://php.watch/articles/composer-gitlab-repositories) require standard Authorization headers with a personal access to function, which failed to work due to out GitLab-specific headers.
With this commit, AuthHelper checks if the password is an access token, and falls through to HTTP basic authentication even if the domain name is a GitLab domain name.
* master: (59 commits)
Update deps
Reuse repository manager and others directly from the Composer instance, refs #9057
Fix usage of create-project with local filesystem repos
Fix return value
Add support for multiple --repository additions in create-project, and make --add-repository delete the lock file, fixes#8853
Remove cygwin php handling in UAC elevation
Clean up a little to make impl less invasive and to handle replacers/providers
Supply event dispatcher in Create Project Command
Avoid attempting to use /etc/xdg as base config home, fixes#9053, refs #9045
Create an issue @ Docker repository on tag
Mark transaction classes internal, refs #8827
Prepare 1.10.9 release
Remove highest/lowest builds for 1.10 maintenance branch
Fix bitbucket detection of redirects to login page, fixes#9041
Fix doc comment
Fixed spelling mistake
Add Windows UAC elevation to self-update command
GitLab: clarify interactive auth prompt
Improve support for XDG and default to XDG config dir if both that and ~/.composer are available, fixes#9045Fix#9033 - inconsistent behavior with minor-only flag
...
* RemoteFilesystemTest: simplifying some mock expectations calls
- will($this->returnValue()) to willReturn()
- will($this->returnCallBack()) to willReturnCallback()
* RemoteFilesystemTest: extracting identical mocks for IOInterface into a separate getIOInterfaceMock() method
* RemoteFilesystemTest: converting protected helper methods to private.
* RemoteFilesystemTest: moving getConfigMock() private method after the public methods (with other private methods)
* adding RemoteFileSystemTest::testCopyWithRetryAuthFailureFalse() unit test.
* Allow optional injecting of AuthHelper into RemoteFilesystem constructor.
* adding RemoteFileSystemTest::testCopyWithSuccessOnRetry() unit test.
* using backward compatible @expectedException in RemoteFilesystemTest.php
* RemoteFilesystemTest: extracting RemoteFilesystem with mocked method creation into a separate method.
* RemoteFilesystemTest: extracting AuthHelper with mocked method creation into a separate method.
* Add AuthHelper::addAuthenticationHeader() test on missing authentication credentials.
* Add AuthHelper::addAuthenticationHeader() test on bearer password.
* Add AuthHelper::addAuthenticationHeader() test on Github token.
* Add AuthHelper::addAuthenticationHeader() test on Gitlab Oauth token.
* Add $authenticationDisplayMessage write expectation to AuthHelper::addAuthenticationHeader() tests.
* Add AuthHelper::addAuthenticationHeader() test on Gitlab private token.
* Add AuthHelper::addAuthenticationHeader() test on Bitbucket Oauth token.
* Add AuthHelper::addAuthenticationHeader() test on Bitbucket public urls.
* Add AuthHelper::addAuthenticationHeader() test on Basic Http Authentication.
* Add AuthHelper::isPublicBitBucketDownload() tests.
* Rename AuthHelperTest $credentials variable to $auth.
* Add AuthHelper::storeAuth() test for auto-store option.
* Add AuthHelper::storeAuth() test for user prompt and y(es) answer.
* Add AuthHelper::storeAuth() test for user prompt and n(o) answer.
* Add AuthHelper::storeAuth() test for user prompt with invalid answer.
* Add AuthHelper::promptAuthIfNeeded() test for Github authentication failure.
- add GitHub hard dependency mock (new GitHub(...) mock)
* Run AuthHelper::promptAuthIfNeeded() tests only with PHP > 5.3
* Run AuthHelper::promptAuthIfNeeded() tests only with PHP >= 5.4
* Run AuthHelper::promptAuthIfNeeded() tests only with PHP 5.4
* Exclude PHPStan analyses of '../tests/Composer/Test/Util/Mocks/*'
* Exclude AuthHelper::promptAuthIfNeeded() tests from current pull request.
* Extract repetitive AuthHelperTest authentication expectation into a method.
PackageSorter weighs the importance of a package
by counting how many times it is required by other packages.
This works by calculating the weight for each package name.
However currently the package index of the package array
is currently passed the weigh function, which basically
disables package sorting.
The reason for that is, that a package repository previously
returned the package list as associative array with package name as keys,
but currently just as an array with integer keys.
Therefore we must extract the package name from the package
before passing it to the weigh function.
The only automatic conflict we have results from packages using the same name
either by literally having the same name and being different versions or they
replace the same name, so
- removed all types of obsolete rules
- simplified rule generation significantly
- got rid of provide filtering in the pool
- fixed some language in error handling
Prevent aliases to be duplicated: no need to apply root aliases from
composer.json on packages currently locked, they should have their
aliases in the lock file, otherwise request an update.
This is necessary to allow the requiring of new packages which replace
packages currently locked without requiring explicitly listing them as
an argument, so simplifies the composer require command
This reduces code complexity while making partial updates more
predictable. This also allows composer require to successfully run a
partial update for a new package with transitive dependency updates.
You can specify a list of funding options each with a type and URL. The
type is used to specify the kind of funding or the platform through
which funding is possible.
The "composer install" can create the vendor/dir folders and be used as a script item on composer.json. Having another script running after it that relies on vendor/bir binaries (such as phpunit) will cause it to not find the binary. This fix addresses the issue by trying to append the path on each script iteration.
The only type of request job remaining was "install" which is really a
root requirement. The only other kind of input for the solver is now a
set of fixed packages.
Rules have been updated to account for only two kinds of former job
reason: FIXED or ROOT_REQUIRE. The job property has always been
redundant and has been removed, since reasonData suffices.
Problem reasons are always rules, so the unnecessary wrapping in an
array has been removed.
We now only ever generate a single rule per root require or fixed
package, so there is no need for the solver to special handle disabling
"jobs" anymore, the rule can just be disabled as usual.
For consistency special handling of rules for jobs in problems has been
integrated into the rule class like all other rule reasons. As part of
this change the error message for root requirements has been improved a
bit to make it clearer where the package installation request came from.
The word job has also been removed from operations, which are called
operations, not jobs.
Currently, preferred-install accepts the hash of patterns as the value in the composer.json. I've followed the same approach as used in extra and platform for letting the user define install preferences through CLI in the format: `composer config preferred-install my-organization/stable-package.dist`.
This includes two breaking changes:
- the hostname is not resolved in the case of an IP address.
- a hostname with a trailing period (FQDN) is not matched.
This brings the basic implementation in line with curl behaviour, with
the addition of full IP address and range matching (curl does not
differentiate between IP addresses host names).
The NO_PROXY environment variable can be set to either a comma-separated
list of host names that should not use a proxy, or single asterisk `*`
to match all hosts.
- Port numbers can be included by prefixing the port with a colon `:`.
- IP addresses can be used, but must be enclosed in square brackets
`[...]` if they include a port number.
- IP address ranges can specified in CIDR notation, separating the IP
address and prefix-length with a forward slash `/`.
We now output an update when only a source or dist ref changes even if
it's a stable version so in these cases the output needs to contain the
ref to make it clear to users what changed
This also changes the PRE/POST_PACKAGE_INSTALL/UPDATE/UNINSTALL events to have less information available on them, repositorySet, request and policy are gone
* github-composer/2.0: (63 commits)
Fix PSR warnings for optimized autoloader, refs #8397, refs #8403
Prepare 1.9.1 changelog
Output a hint that maybe you are not in the right directory, fixes#8404
Fix PSR warnings for optimized autoloader, refs #8397, refs #8403
Fix tests for PSR-fix in optimized autoloader, refs #8397
Fix tests for PSR-fix in optimized autoloader, refs #8397
Change PSR-fix for optimized autoloader to only warn for now, refs #8397
Fix output of dump-autoload command to avoid interfering with warnings, refs #8397
Remove credentials from git remotes in cache and vendor dirs
Avoid overwriting credentials with existing ones from git repos, refs #8293
Fix github auth to try https with pwd also, fixes#8356
Fix gitlab support for basic-auth fallback from ssh URLs
Avoid clearing the error output during removeDirectory execution, losing git error output, fixes#8351
Move test file parsing into try/catch block to avoid phpunit swallowing errors
make optimized autoloader respect PSR standards
Validate composer show with --tree and --path options set (#8390)
Don't show root warning for docker containers
Added phpdoc for ComposerAutoloaderInit$SHA1::getLoader() (#8393)
Validate schema name, type and version
Fix require command to allow working on network mounts, fixes#8231
...
The solver now only calculates a lock file transaction which does not
need to be sorted in order of dependencies. This is only necessary for
the local repo transaction generated without the solver during install
The pool builder tries to be minimal so it's fine for present/locked
packages not be assigned a solver/pool id. Adding a test to verify
correct creation of uninstall jobs
These special commands no longer (ab)use the partial update mechanism
but rather create a special install request for all current lock file
contents and later override any modified code references to the
originals. This leads to up to date remote metadata but no other
changes.
Commit: 149250ab92
ProcessExecutor::escape handled a false value inconsistently across
platforms, returning an emtpy string on Windows, otherwise `''`. This
is fixed to return `""` on Windows.
The GitDownloaderTest code has been appropriately updated.
This only removes the credentials if they are managed by composer auth.json or equivalent, if the credentials were present in the package URL to begin with they might remain
Refs #8293Fixes#3644Closes#3608
Particularly the test
tests/Composer/Test/Fixtures/installer/partial-update-downgrades-non-whitelisted-unstable.test
is interesting because it verifies that an older version will be
installed on update if the new one is only present in the installed repo
or vendor dir. This was the cause of a lot of weird edge cases and
unreliable update behavior in Composer v1
As a result some lock file packages are no longer in the pool, so the
former installed map, now present map cannot use package ids anymore
Need to revisit some more code later to simplify this, todo notes left
Nils Adermann