Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
This is a follow up issue to #3255749: Composer v2.2 prompts to authorize plugins.
When installing Drupal with --stability=dev
Composer prompts to authorize the plugin dealerdirect/phpcodesniffer-composer-installer
(Thanks to @benjifisher for finding this)
Steps to reproduce
In console, run composer create-project drupal/recommended-project --stability=dev
Proposed resolution
Add dealerdirect/phpcodesniffer-composer-installer
to Drupal core's composer authorized plugins.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Issue fork drupal-3294205
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #3
shaalReady for review
(As long as no additional tests will be required...)
Comment #4
SpokjeThere's currently no test at all for any
--stability=
parameter, only the default (which in our case seems to bestable
https://getcomposer.org/doc/articles/versions.md#stabilities) is tested.So that should be/is most probable the reason our tests didn't pick up on this one.
If we're wanting to test all stability options (5), it would IMHO require running the full test
\Drupal\BuildTests\Composer\Template\ComposerProjectTemplatesTest::testTemplateCreateProject()
four more times for both projectsdrupal/recommended-project
anddrupal/legacy-project
. So 8x more in total.Since a single run of
\Drupal\BuildTests\Composer\Template\ComposerProjectTemplatesTest::testTemplateCreateProject()
currently takes around 19 seconds, that would end up with an extra test time of 4 *19 sec = 76 seconds.Personally I think we can get away with only adding testing the
dev
stability, but I've been wrong before (many, many times actually...).Besides the above, could D10.0 be the time to drop support for
drupal/legacy-project
which seems to be D8 centred?Leaving all of the above ramblings for Bigger Brains to decide over.
Comment #5
SpokjeComment #6
longwaveI also think just testing
dev
is enough for now as it should cover this specific case and it doesn't seem worth the DrupalCI time to test the stabilities in between - we can always revisit later.Re dropping support for
drupal/legacy-project
it's always worth opening an issue if you think it is worth discussing.Comment #7
SpokjeThanks @longwave
Per usual, @alexpott is already on the case in the just linked related issue #3294241: Remove drupal/legacy-project as a starting point for Drupal 10
Comment #8
alexpottI created #3294241: Remove drupal/legacy-project as a starting point for Drupal 10
Comment #9
SpokjeLittle lost on how to test this.
The plugin-allow for
dealerdirect/phpcodesniffer-composer-installer
comes fromdrupal/coder
which is in the Metapackagedrupal/core-dev
.In a local attempt I swapped out the
require-dev
in the SUT'scomposer.json
with the actual dependencies indrupal/coder
'srequire
section.However this doesn't seem to actually install
drupal/coder
so the prompt to authorize the plugindealerdirect/phpcodesniffer-composer-installer
is never triggered.Time for Bigger Brains to step in to decide if a test is needed in the first place (probably yes?) and how to actually test this, and how to handle the possibility that a dependency of a dependency of a [snipped-for-sanity] needs to allow a plugin.
Maybe we should check if a sub-set of allowed plugins in the root
composer.json
is present in both templates?Comment #10
alexpottI think we can live without a test. I think there is a question about whether we need to fix this or let people answer the question that composer asks. That said I don't think there is any harm in trusting this plugin and doing this does reduce noise.
Comment #11
xjmThis change seems sensible. Looks like we need different versions for the 10.x branches, though.
Comment #14
NickDickinsonWildeD10.0.x patch created (should apply to 10.1.x)
Comment #15
larowlanThe changes look good to me, and should resolve issues I've seen locally when committing core patches (where I run composer install, and yarn install after applying a patch, before running the commit which executes phpstan and yarn spellcheck).
Comment #16
xjmManually tested with a test project and local path repo. Do we need to apply the same fixes to the dev dep metapackages as to the templates?
STR:
composer.json
like:composer.json
, with the following hack to make it work:In the test project, run
composer install
. Even with the patch applied, I still get the prompts:Since this appears to also apply to phpstan as well as the dealerdirect thingamajig, this is maybe an out-of-scope issue that needs a followup.
Comment #21
xjmI was unsuccessful in reproducing this locally for the templates, but going to go ahead and commit it based on the above feedback and see if it fixes packaging.
We can discuss the metapackages in a followup perhaps.
Comment #22
xjmHmmm except packaging still seems not fixed.
From @drumm, this was the output where packaging failed:
Comment #23
xjmI spoke too soon. #22 was before the commit. It just took like
520 min to queue the packaging and CI jobs for the commit across the four branches. We'll know in an hour or so whether tests are passing and whether I can tag a silly release. :) Thanks everyone for your help here. 🤞Comment #24
xjmLooks like #3255749: Composer v2.2 prompts to authorize plugins was committed to 9.3.x. Does this need a 9.3.x backport?
Comment #26
xjmCherry-picked the 9.4.x commit to 9.3.x as well.
Comment #27
xjmComment #28
xjm