composer operations fail due to lcobucci/jwt 4.1.* release

[fritzmg]

As mentioned in Slack, any composer update or Contao installation using the Cloud Resolver currently fails on environments where ext-sodium is not available. lcobucci/jwt (required by Contao in version ^3.0 || ^4.0; also required in the same way by scheb/2fa-trusted-device) in version 4.1.0, which was released a few days ago, now requires ext-sodium. The Cloud Resolver has this PHP extension available and thus the resolved set of dependencies includes lcobucci/jwt: 4.1.0. However, the subsequent composer install operation will then fail if that extension is missing:

…
[550.2MiB/102.47s] Finished Composer Cloud resolving.

# Job ID LuzTd3Bojd5QlqqLfn3MupMXPYUN3rGLZ5JttLkLG7cWMWVS3iEfuIkLlcOs7l5lbWMHEh6KjTreRDEZZsWMC completed in 103 seconds
# Memory usage: 550.22MB (peak: 2461.58MB), time: 102.48s.

$ /usr/bin/php7.4 -q -dmax_execution_time=0 -dmemory_limit=-1 -dallow_url_fopen=1 -ddisable_functions= -ddate.timezone=Europe/Berlin …/web/contao-manager.phar.php composer install --prefer-dist --no-dev --no-progress --no-suggest --no-ansi --no-interaction --optimize-autoloader

Loading composer repositories with package information
Installing dependencies from lock file
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for lcobucci/jwt 4.1.0 -> satisfiable by lcobucci/jwt[4.1.0].
    - lcobucci/jwt 4.1.0 requires ext-sodium * -> the requested PHP extension sodium is missing from your system.
  Problem 2
    - lcobucci/jwt 4.1.0 requires ext-sodium * -> the requested PHP extension sodium is missing from your system.
    - scheb/2fa-trusted-device v5.4.1 requires lcobucci/jwt ^3.4|^4.0 -> satisfiable by lcobucci/jwt[4.1.0].
    - Installation request for scheb/2fa-trusted-device v5.4.1 -> satisfiable by scheb/2fa-trusted-device[v5.4.1].

  To enable extensions, verify that they are enabled in your .ini files:

I suppose the Cloud Resolver should only enable the absolute minimum of PHP extensions, so that any additional PHP extension that is available on the client side can be defined via the platform configuration.

[Toflar]

Unfortunately, there's no way to fix this for me in the Composer Resolver Cloud for the moment. I need a way to be able to completely replace the PlatformRepository. See https://github.com/composer/composer/pull/9662.

[fritzmg]

As a quick fix, couldn't you just disable ext-sodium? Or is this PHP extension required to run the cloud?

[Toflar]

It's shipped with PHP. You would need to unbundle it which makes no sense whatsoever.

[fritzmg]

I see. Whether it's compiled with PHP or not is probably OS related then. In the affected installations PHP was probably compiled without --with-sodium.

[fritzmg]

This problem also affects regular deployments without the cloud. If your composer.lock was generated in an environment where ext-sodium was available, it will of course fail if that is deployed on a production environment, where ext-sodium happens to be not available.

[Toflar]

Of course. I will be able to fix it now that my PR has been merged into Composer. It will require the whole infrastructure to switch to Composer 2.0 and more work though. Might take another week or so to fix this issue.

[aschempp]

This will be fixed in the next version of Contao Manager and the pending update to Composer Resolver Cloud 3 (https://composer-resolver-cloud.statuspage.io/incidents/kn4y3slwtl63)