Skip to content

"extra.symfony.require" not enforced anymore #65

New issue
New issue
Open
Open
"extra.symfony.require" not enforced anymore#65
@darthf1

Description

@darthf1
darthf1
opened on Dec 15, 2023

Hi!

I'm currently on SF 6.4.*, but noticed a lot of indirect SF 7 dependencies were installed. I have the following in my composer.json:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php/flex/main/index.json",
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },

When I go back to the default settings, without custom endpoints:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*"
        }
    },

And I run php composer update "symfony/*", I get:

Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.4.*"
Updating dependencies
Lock file operations: 0 installs, 20 updates, 0 removals
  - Downgrading symfony/cache (v7.0.0 => v6.4.0)
  - Downgrading symfony/clock (v7.0.0 => v6.4.0)
  - Downgrading symfony/doctrine-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/error-handler (v7.0.0 => v6.4.0)
  - Downgrading symfony/filesystem (v7.0.0 => v6.4.0)
  - Downgrading symfony/finder (v7.0.0 => v6.4.0)
  - Downgrading symfony/intl (v7.0.0 => v6.4.0)
  - Downgrading symfony/messenger (v7.0.1 => v6.4.0)
  - Downgrading symfony/mime (v7.0.0 => v6.4.0)
  - Downgrading symfony/monolog-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/options-resolver (v7.0.0 => v6.4.0)
  - Downgrading symfony/password-hasher (v7.0.0 => v6.4.0)
  - Downgrading symfony/psr-http-message-bridge (v7.0.0 => v6.4.0)
  - Downgrading symfony/security-core (v7.0.1 => v6.4.0)
  - Downgrading symfony/security-csrf (v7.0.1 => v6.4.0)
  - Downgrading symfony/security-http (v7.0.1 => v6.4.0)
  - Downgrading symfony/stopwatch (v7.0.0 => v6.4.0)
  - Downgrading symfony/string (v7.0.0 => v6.4.0)
  - Downgrading symfony/var-dumper (v7.0.0 => v6.4.0)
  - Downgrading symfony/var-exporter (v7.0.1 => v6.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 20 updates, 0 removals
  - Downgrading symfony/string (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/var-dumper (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/error-handler (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/doctrine-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/var-exporter (v7.0.1 => v6.4.1): Extracting archive
  - Downgrading symfony/filesystem (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/finder (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/cache (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/stopwatch (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/password-hasher (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/security-core (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/security-http (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/security-csrf (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/clock (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/options-resolver (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/psr-http-message-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/messenger (v7.0.1 => v6.4.0): Extracting archive
  - Downgrading symfony/mime (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/monolog-bridge (v7.0.0 => v6.4.0): Extracting archive
  - Downgrading symfony/intl (v7.0.0 => v6.4.0): Extracting archive
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Generating autoload files
168 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
infection/extension-installer: No extensions found
phpstan/extension-installer: Extensions installed

What about running composer global require symfony/thanks && composer thanks now?
This will spread some 💖  by sending a ★  to the GitHub repositories of your fellow package maintainers.

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]

No security vulnerability advisories found.

When I add back the custom endspoints as stated in this repositories readme:

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php/flex/main/index.json",
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },

And I run php composer update "symfony/*", indirect dependencies are again updated to SF7:

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 20 updates, 0 removals
  - Upgrading symfony/cache (v6.4.0 => v7.0.0)
  - Upgrading symfony/clock (v6.4.0 => v7.0.0)
  - Upgrading symfony/doctrine-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/error-handler (v6.4.0 => v7.0.0)
  - Upgrading symfony/filesystem (v6.4.0 => v7.0.0)
  - Upgrading symfony/finder (v6.4.0 => v7.0.0)
  - Upgrading symfony/intl (v6.4.0 => v7.0.0)
  - Upgrading symfony/messenger (v6.4.0 => v7.0.1)
  - Upgrading symfony/mime (v6.4.0 => v7.0.0)
  - Upgrading symfony/monolog-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/options-resolver (v6.4.0 => v7.0.0)
  - Upgrading symfony/password-hasher (v6.4.0 => v7.0.0)
  - Upgrading symfony/psr-http-message-bridge (v6.4.0 => v7.0.0)
  - Upgrading symfony/security-core (v6.4.0 => v7.0.1)
  - Upgrading symfony/security-csrf (v6.4.0 => v7.0.1)
  - Upgrading symfony/security-http (v6.4.0 => v7.0.1)
  - Upgrading symfony/stopwatch (v6.4.0 => v7.0.0)
  - Upgrading symfony/string (v6.4.0 => v7.0.0)
  - Upgrading symfony/var-dumper (v6.4.0 => v7.0.0)
  - Upgrading symfony/var-exporter (v6.4.1 => v7.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 20 updates, 0 removals
  - Upgrading symfony/string (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/var-dumper (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/error-handler (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/doctrine-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/var-exporter (v6.4.1 => v7.0.1): Extracting archive
  - Upgrading symfony/filesystem (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/finder (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/cache (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/stopwatch (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/password-hasher (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/security-core (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/security-http (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/security-csrf (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/clock (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/options-resolver (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/psr-http-message-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/messenger (v6.4.0 => v7.0.1): Extracting archive
  - Upgrading symfony/mime (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/monolog-bridge (v6.4.0 => v7.0.0): Extracting archive
  - Upgrading symfony/intl (v6.4.0 => v7.0.0): Extracting archive
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Generating autoload files
168 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
infection/extension-installer: No extensions found
phpstan/extension-installer: Extensions installed

What about running composer global require symfony/thanks && composer thanks now?
This will spread some 💖  by sending a ★  to the GitHub repositories of your fellow package maintainers.

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]

No security vulnerability advisories found.

When default and/or the contrib endpoints are specified, the dependencies are also downgraded to 6.4.*.

    "extra": {
        "symfony": {
            "allow-contrib": true,
            "require": "6.4.*",
            "endpoint": [
                "https://raw.githubusercontent.com/schranz-php-recipes/symfony-recipes-php-contrib/flex/main/index.json",
                "flex://defaults"
            ]
        }
    },

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions