So...my team has a need to collect data on installed packages as JSON. We do this, currently, with composer show --json, and it works well, but with one major gap: if we want to get the package types (and we do), there's no way to get that without calling composer show $PACKAGE_NAME --format=json individually. For performance reasons, that won't fly.

This PR, then, adds the type property to the output of composer show --json for all packages.

Yeah I think I'm gonna close this as per the above discussion

Yeah I'm guessing maybe this can be fixed by using an explicit null somewhere, but maybe that'll break things too, gotta try it and investigate a bit more.

Oh I think that's a bug because you use the readonly keyword which isn't supported yet by Composer when handling plugin classes.

Should be fixable, but in the meantime drop readonly and it should work.

What is https://github.com/ossobuffo/drupal-console-extend-plugin ? It seems to be 404. Probably you should remove this from your composer.json:

"github": {
"type": "vcs",
"url": "https://github.com/ossobuffo/drupal-console-extend-plugin.git"
},

Thanks for the PR but I think I'd rather not add confusion at this point in the docs, this works for most projects and those that really don't require anything can kinda skip it.

Bump actions/stale from 7 to 8 (#11402)

Bumps actions/stale from 7 to 8.

• Release notes
• Changelog
• Commits

updated-dependencies:

• dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps actions/stale from 7 to 8.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Yeah that seems reasonable to me

Update changelog

Release 2.5.5

Reverting release version changes

Fixed querying of default config values, and fix source display for them, and fix bools to show as bools, fixes #11302

Fixed display of empty objects showing [] instead of {} in config command, fixes #11302

Update changelog

Release 2.5.5

Reverting release version changes

Merge branch '2.5'

Add 2.5.5 build

That is not the full error, please show us everything if you want help.

Do you have anything in "composer.local.json"? Because that gets included, and so once vendor dir is present (warm cache) the plugin will include that file. On initial install it wouldn't include it yet until the plugin is installed so perhaps that accounts for the difference?

OK so I tried again with the plugin enabled and it fails for me with:

  merge-plugin: No files matched required './ACP3/Core/composer.json'

So my question would be what do you have in all these files:

  "require": [
    "./ACP3/Core/composer.json",
    "./ACP3/Modules/*/*/composer.json",
    "./designs/*/composer.json",
    "./installation/composer.json",
    "./tests/composer.json"
  ],


                            

Use trailing slash for directories as best practice (#11387)

Hiya! 👋

I'm one of the people working on https://www.drupal.org/project/automatic_updates — which is working to bring Automatic Updates powered by composer to Drupal core 😊

As I'm sure you can imagine, as part of that, we're doing lots of checks — often for security, but also often for UX. Plus, we cannot assume much about the codebase it's getting applied.

So let's create a new composer.json by following the official instructions:

$ cd /tmp
$ composer create-project drupal/recommended-project my_site_name_dir

/tmp/my_site_name_dir/composer.json is very long. For the sake of brevity, let's extract the essential pieces:

{
    "name": "drupal/recommended-project",
    "type": "project",
    "repositories": [
        {
            "type": "composer",
            "url": "https://packages.drupal.org/8"
        }
    ],
    "require": {
        "composer/installers": "^2.0",
        "drupal/core-composer-scaffold": "^10.0",
        "drupal/core-recommended": "^10.0"
    },
    "conflict": {
        "drupal/drupal": "*"
    },
    "prefer-stable": true,
    "config": {
        "allow-plugins": {
            "composer/installers": true,
            "drupal/core-composer-scaffold": true
        },
        "sort-packages": true
    },
    "extra": {
        "drupal-scaffold": {
            "locations": {
                "web-root": "web/"
            }
        },
        "installer-paths": {
            "web/core": [
                "type:drupal-core"
            ]
        }
    }
}

(Put that in composer.json and run composer install and it works fine.)

Output of composer diagnose:

$ composer diagnose
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK git version 2.32.1
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.5.2
PHP version: 8.1.13
PHP binary path: /opt/homebrew/Cellar/php@8.1/8.1.13/bin/php
OpenSSL version: OpenSSL 1.1.1s  1 Nov 2022
cURL version: 7.87.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1s
zip: extension present, unzip present, 7-Zip not available

General problem

When I run this command:

$ composer config --list --source -vvv

I get the following output:

Running 2.5.2 (2023-02-04 14:33:22) with PHP 8.1.13 on Darwin / 21.6.0
Reading ./composer.json (/private/tmp/my_site_name_dir/composer.json)
Loading config file /Users/wim.leers/.composer/config.json
Loading config file /Users/wim.leers/.composer/auth.json
Loading config file ./composer.json (/private/tmp/my_site_name_dir/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Executing command (/private/tmp/my_site_name_dir): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/private/tmp/my_site_name_dir): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/private/tmp/my_site_name_dir): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/private/tmp/my_site_name_dir): hg branch
Executing command (/private/tmp/my_site_name_dir): fossil branch list
Executing command (/private/tmp/my_site_name_dir): fossil tag list
Executing command (/private/tmp/my_site_name_dir): svn info --xml
Reading /Users/wim.leers/.composer/composer.json
Loading config file /Users/wim.leers/.composer/config.json
Loading config file /Users/wim.leers/.composer/auth.json
Loading config file /Users/wim.leers/.composer/composer.json (/Users/wim.leers/.composer/composer.json)
Loading config file /Users/wim.leers/.composer/auth.json
Reading /Users/wim.leers/.composer/auth.json
Reading /private/tmp/my_site_name_dir/vendor/composer/installed.json
Loading plugin Composer\Installers\Plugin (from composer/installers)
Loading plugin Drupal\Composer\Plugin\Scaffold\Plugin (from drupal/core-composer-scaffold)
Loading config file /Users/wim.leers/.composer/config.json
Loading config file /Users/wim.leers/.composer/auth.json
Reading ./composer.json (/private/tmp/my_site_name_dir/composer.json)
[repositories.0.type] composer (./composer.json)
[repositories.0.url] https://packages.drupal.org/8 (./composer.json)
[repositories.packagist.org.type] composer (default)
[repositories.packagist.org.url] https://repo.packagist.org (default)
[process-timeout] 300 (default)
[use-include-path] false (default)
[allow-plugins.composer/installers] true (./composer.json)
[allow-plugins.drupal/core-composer-scaffold] true (./composer.json)
[use-parent-dir] prompt (default)
[preferred-install] dist (default)
[notify-on-install] true (default)
[github-protocols] [https, ssh] (default)
[gitlab-protocol]  (default)
[vendor-dir] vendor (/private/tmp/my_site_name_dir/vendor) (default)
[bin-dir] {$vendor-dir}/bin (/private/tmp/my_site_name_dir/vendor/bin) (default)
[cache-dir] /Users/wim.leers/Library/Caches/composer (default)
[data-dir] /Users/wim.leers/.composer (default)
[cache-files-dir] {$cache-dir}/files (/Users/wim.leers/Library/Caches/composer/files) (default)
[cache-repo-dir] {$cache-dir}/repo (/Users/wim.leers/Library/Caches/composer/repo) (default)
[cache-vcs-dir] {$cache-dir}/vcs (/Users/wim.leers/Library/Caches/composer/vcs) (default)
[cache-ttl] 15552000 (default)
[cache-files-ttl] 15552000 (default)
[cache-files-maxsize] 300MiB (314572800) (default)
[cache-read-only] false (default)
[bin-compat] auto (default)
[discard-changes] false (default)
[autoloader-suffix]  (default)
[sort-packages] true (./composer.json)
[optimize-autoloader] false (default)
[classmap-authoritative] false (default)
[apcu-autoloader] false (default)
[prepend-autoloader] true (default)
[github-domains] [github.com] (default)
[bitbucket-expose-hostname] true (default)
[disable-tls] false (default)
[secure-http] true (default)
[cafile]  (default)
[capath]  (default)
[github-expose-hostname] true (default)
[gitlab-domains] [gitlab.com] (default)
[store-auths] prompt (default)
[archive-format] tar (default)
[archive-dir] . (default)
[htaccess-protect] true (default)
[use-github-api] true (default)
[lock] true (default)
[platform-check] php-only (default)
[home] /Users/wim.leers/.composer (default)

And I expected this to happen:

1. Note that many key-value pairs have default as the source.
2. Note that most of those keys are not present in my composer.json
3. … but minimum-stability is not one of them!

Even though for sure composer considers stable the default value for minimum-stability!

AFAICT that default is computed via \Composer\Package\RootPackage, which contains:

    /** @var string */
    protected $minimumStability = 'stable';

If Drupal would choose to depend on composer/composer, we'd be able to do (new PartialComposer(…))->getPackage()->getMinimumStability() to access that default. But that seems excessive.

AFAICT it's a small bug in composer config that has never bothered anybody (I thoroughly searched the issue history and could not find any match), probably because very few people are building a UX on top of composer.

For consistency, I would expect in the above output:

[minimum-stability] stable (default)

Related problem

And similarly I would expect not:

$ composer config minimum-stability

In ConfigCommand.php line 317:
                                    
  minimum-stability is not defined  
                                    

config [-g|--global] [-e|--editor] [-a|--auth] [--unset] [-l|--list] [-f|--file FILE] [--absolute] [-j|--json] [-m|--merge] [--append] [--source] [--] [<setting-key> [<setting-value>...]]

But:

$ composer config minimum-stability
stable

because just like minimum-stability is absent from my composer.json, so are many other keys, for example secure-http, and that does work just fine:

$ composer config secure-http
1

OK fixed defaults and objects showing up as [] see the two commits referenced above.

Fixed querying of default config values, and fix source display for them, and fix bools to show as bools, fixes #11302

Fixed display of empty objects showing [] instead of {} in config command, fixes #11302

I ran composer update a few times while working on a project. At some point I got this message:

GitHub API limit (0 calls/hr) is exhausted, could not fetch https://api.github.com/repos/avgeeklucky/grafika/contents/composer.json?ref=xxxx. Create a GitHub OAuth token to go over the API rate limit. You can also wait until ? for the rate limit to reset.

Note the "0 calls/hr" and the "?". The number of calls/hr shouldn't be zero, and the "?" should be replaced with a date and time.

I actually reported this to the github cli tool assuming the messge was coming from it, but they said it's composer.

Should be fixed by https://github.com/composer/composer/commit/d3adecf58370cd5961db968c2b49f5f102b0d8de

self::getInstalled() can return -empty array- array with empty array. We should validate key existence to prevent exception like:

Exception: Notice: Undefined index: versions in /.../vendor/composer/composer/src/Composer/InstalledVersions.php on line 54 in /.../vendor/magento/framework/App/ErrorHandler.php:61

Fix basic auth infinite loop (#11320)

Follow-up for #5205: fix high concurrency race condition

Composer would fail with an

PHP temp directory (/tmp) does not exist or is not writable to Composer. Set sys_temp_dir in your php.ini

error when used in parallel. Because it is checking if a file with md5(microtime()) can be created, which is not sufficiently unique when used in parallel.

Since each Composer instance runs in its own process, this can easily be mitigated by not just partitioning based on time of use, but also based on process ID.

Original investigation: https://www.drupal.org/project/automatic_updates/issues/3338789#comment-14961390

Composer support string (#11386)

• GitHubDriver: fix support is set to string

• GitLabDriver: fix support is set to string

• BitbucketDriver: fix support is set to string

• Fix PHPStan

Fix github header handling to be case insensitive, fixes rate limit extraction (#11366)

Fix return type of InstalledVersions::getInstalled, fixes #11304

Update deps, fix phpstan issues, update baseline (1711, 49)

Merge branch '2.5'

Fix svndriver type error

Fix github header handling to be case insensitive, fixes rate limit extraction (#11366)

Fix return type of InstalledVersions::getInstalled, fixes #11304

Update deps, fix phpstan issues, update baseline (1711, 49)

Oh ok ok now I see it thanks :D I'll fix this

I mean you could make sure that your code fails hard if the expected file structure isn't there, so if it were to change you at least catch it and fix it and avoid unexpected outcomes, but yes really I'd say it's fine to rely on them as if they were public API.

Yeah I would say realistically this is all extremely unlikely to change because:

• no reason to really, I have enough on my plate to avoid unnecessary shuffling of APIs
• I'm sure so many depend on them that I wouldn't dare touch anything there

I don't know if this is good enough for you :)

I'm not sure about adding this, because well right now it's serving basic info and that's it, and if we start adding one thing it's then the question why not more until we have everything in there.

My question is.. why are you not using \Composer\InstalledVersions::getAllRawData() (which includes type) or load directly from vendor/composer/installed.json (complete data) or vendor/composer/installed.php (less data but includes root package)?

If you need programmatic access to all installed data this is a better way than calling composer show IMO, and InstalledVersions is even made to run at runtime within the application.

Yeah I guess we could do that, sounds reasonable although a little work for not much value IMO as the lock file should not really be opened/edited.