Closed naderman closed 4 months ago
We can't really do this as we do not store the repositories
key from composer.json into packagist.org as this is useless metadata when a composer.json is not the root package..
Plus this seems like very very odd rare case anyway, and require-dev isn't the most useful data to begin with.
The origin for this issue is the confusion here: https://phpc.social/@ramsey/112425184457397309 cc @ramsey
The scssphp/scssphp package defines 3 packages custom in its composer.json with repositories that are then listed in require-dev. These are essentially test utilities that are not PHP packages but maintained in other ways/ecosystems. However someone registered packages by those names on packagist.org. Composer ignores those as it always loads the repository definition when loading require-dev definitions from the root composer.json, but the dependencies get linked on packagist.org. So when looking at the scssphp/scssphp package it appears as if there were dev requirements to these packagist.org packages by a random third party.
I suggest we don't link require-dev packages when specific inline package definitions overwrite the names. I wouldn't do this for any other types of repositories as the data behind those including package names, e.g. a vcs/git repo is dynamic, so you can't be sure they will always resolve this way.