search

composer / package-versions-deprecated

:package: Composer addon to efficiently get installed packages' version numbers
MIT License
1.51k stars 9 forks source link

deprecated PackageVersions\Versions class contains dev packages when using `composer install --no-dev` #17

Closed pilif closed 3 years ago

pilif commented 3 years ago

When running

composer install --no-dev (composer v2.0.4)

the generated PackageVersions\Versions class will still contain information about dev-dependencies.

In our case, this badly breaks sentry/sentry which then proceeds to query for additional information for such packages and then ends up with an OutOfBounds exception being thrown by composer's own composer/InstalledVersions.php

I'll do some investigations as to the cause

Seldaek commented 3 years ago

Can you check if it works with the latest snapshot (composer self-update --snapshot)? I am wondering if perhaps this is the same issue as https://github.com/composer/composer/issues/9457 - at least I can't reproduce what you describe.

Seldaek commented 3 years ago

Ah sorry I misread here.. It does seem indeed to contain all packages including dev deps..

But it seems like this was always the case with ocramius/package-versions, i.e. https://github.com/Ocramius/PackageVersions/blob/1.11.x/src/PackageVersions/Installer.php#L217

I guess the issue is now it reads from the Composer's native implementation if it's available and that one correctly only has the installed stuff, so it should filter which versions are listed accordingly.

In any case.. people should really migrate to Composer\InstalledVersions. If you can communicate that to sentry/sentry that'd be good, if the API is available they should use that, if not they can use this plugin still for Composer 1 users.

Seldaek commented 3 years ago

OK you can try updating to https://github.com/composer/package-versions-deprecated/releases/tag/1.11.99.1

pilif commented 3 years ago

In any case.. people should really migrate to Composer\InstalledVersions. If you can communicate that to sentry/sentry that'd be good, if the API is available they should use that, if not they can use this plugin still for Composer 1 users.

that's precisely what I've done. I've replaced the sentry ModuleIntegration with a better one that makes use of composer 2.

The sentry implementation is shitty anyways, because it relies on that VERSIONS static array that's got two warnings next to it to not make use of it (through it being marked @internal and through a comment saying so).

Seldaek commented 3 years ago

🤦‍♂️ OK, still curious if you can confirm the fix works for you though.