Warn when SYMFONY_REQUIRE is set to an exact version constraint#1093
Open
GromNaN wants to merge 2 commits into
Open
Warn when SYMFONY_REQUIRE is set to an exact version constraint#1093GromNaN wants to merge 2 commits into
GromNaN wants to merge 2 commits into
Conversation
GromNaN
force-pushed
the
warn-symfony-require-exact-version
branch
from
5f20a42 to
5e9be27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Setting
SYMFONY_REQUIRE=7.4(or any exact version like7,7.4.1) is treated by Composer as the constraint= 7.4.0.0— it will only match that single specific version.This causes two classes of silent failures:
Security advisories block exact versions. When a package version is flagged by a security advisory, Composer refuses to install it. With an exact constraint, there is no fallback version, so the installation fails with no clear explanation. See
policy.advisories.blockblocks non-affected versions when symfony/flex truncates the pool (SYMFONY_REQUIRE) composer/composer#12936.Not all packages exist at every bugfix version. Symfony skips publishing packages that have no changes in a given bugfix release. For example,
symfony/console 7.4.3may not exist if there were no changes to that component in that release. An exact constraint would then fail to resolve.The intended constraints are
7.4.*(allows any7.4.x) or^7.4(allows>=7.4.0 <8.0.0).Solution
Use
Composer\Semver\VersionParserto parse the constraint and detect when it resolves to a single==constraint (i.e. an exact version). A warning is then emitted suggesting the correct form:This applies whether the value comes from the
SYMFONY_REQUIREenvironment variable or fromextra.symfony.requireincomposer.json.