Easily identify direct composer dependencies

[peterjaap]

This could be done by making them bold, or by sorting the list on direct & indirect.

For example, here's how Private Packagist updates our issues with a changelog;

[davidrjonas]

Thanks! I like this idea very much. I’m not sure when I’ll have time to implement, however. PR welcome!

I hadn’t seen that feature of private packagist. That is very nice.

On Sep 6, 2022, at 3:12 PM, Peter Jaap Blaakmeer @.***> wrote:

 This could be done by making them bold, or by sorting the list on direct & indirect.

For example, here's how Private Packagist updates our issues with a changelog;

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[gisostallenberg]

I also really like the column Operation, by which you could easily identify downgrades. @peterjaap are you going to give a PR a try?

[peterjaap]

Hmm I did a little bit of investigating and the code looks in the composer.lock file and uses that to compare. However, the composer.lock file does not hold any information on whether the package mentioned is a direct or indirect dependency.

A way to extract that information is to run composer show --direct but we obviously can't run this command on the previous composer.lock state since that is retrieved from the Git repostiroy.

The way how composer does this internally is by fetching the require list from the composer.json; https://github.com/composer/composer/blob/a63ce7cf96441a32ba70ef63b924c84422e91a98/src/Composer/Command/ShowCommand.php#L682

So the approach here would be to also load the composer.json contents, get the require list from that file, match the packages in composer.lock against those and that way define which are direct and which are indirect.

[peterjaap]

Quick & dirty small diff that adds an asterix to direct dependencies;

diff --git a/composer-lock-diff b/composer-lock-diff
index b665439..1ad1e4d 100755
--- a/composer-lock-diff
+++ b/composer-lock-diff
@@ -6,13 +6,15 @@ $opts = parseOpts();
 $changes = array();
 $data_from = load($opts['from'], $opts['path'], $opts['vcs'], '');
 $data_to   = load($opts['to'],   $opts['path'], $opts['vcs'], 'composer.lock');
+$composerJson = json_decode(file_get_contents('composer.json'), true);
+$directComposerPackages = array_keys($composerJson['require']);

 if (! $opts['only-dev']) {
-    $changes['changes'] = diff('packages', $data_from, $data_to);
+    $changes['changes'] = diff('packages', $data_from, $data_to, $directComposerPackages);
 }

 if (! $opts['only-prod']) {
-    $changes['changes-dev'] = diff('packages-dev', $data_from, $data_to);
+    $changes['changes-dev'] = diff('packages-dev', $data_from, $data_to, $directComposerPackages);
 }

 if ($opts['json']) {
@@ -42,7 +44,7 @@ foreach($changes as $k => $diff) {
     print tableize($table_titles[$k], $diff, $table_opts);
 }

-function diff($key, $data_from, $data_to) {
+function diff($key, $data_from, $data_to, $directComposerPackages) {

     $pkgs = array();

@@ -62,9 +64,19 @@ function diff($key, $data_from, $data_to) {
             $pkgs[$pkg->name][1] = version($pkg);
             $pkgs[$pkg->name][2] = makeCompareUrl($pkg, $pkgs);
         }
+
     }

-    return $pkgs;
+    foreach ($pkgs as $name => $data) {
+        if (in_array($name, $directComposerPackages)) {
+            $result[$name . '*'] = $data;
+        } else {
+            $result[$name] = $data;
+        }
+    }
+
+
+    return $result;
 }

 function version($pkg)
@@ -487,4 +499,3 @@ EOF;
     exit(0);
 }

[davidrjonas]

Thanks for the diff! I'd like to implement this a little differently though. The information is read from exactly the same file path, vcs or not, with the extension changed from .lock to .json. For the output, I tried the asterisk but I didn't really like it. It was okay, but I thought displaying them separately would be better. What do you think of this markdown output? (The parens were used because HTML was breaking the line into two when there were spaces around Direct)

Production Changes	From	To	Compare
~(Direct)~~~~~	~~	~~~	~~~~~~~~~~~~~~~~~~~~~~
caseysoftware/marvel-helper	1.1.2	2.0.0	...
doctrine/dbal	2.2.0	v2.9.2	...
ircmaxell/random-lib	v1.1.0	v1.2.0	...
ircmaxell/security-lib	1.0.0	v1.1.0	...
monolog/monolog	1.10.0	895066e	...
payintegrator/afterpay	1.5.0	2.0.0	...
pmjones/fake	0.0.1	0.2.0	...
~(Indirect)~~~~~~~	~~	~~~	~~~~~~~~~~~~~~~~~~~~~~
doctrine/common	2.2.3	REMOVED
guzzle/guzzle	v3.7.4	REMOVED
guzzlehttp/guzzle	6.2.3	6.5.5	...
guzzlehttp/promises	v1.3.1	1.5.1	...
guzzlehttp/psr7	1.6.1	1.8.3	...
psr/log	1.1.0	1.1.4	...
symfony/event-dispatcher	v4.3.3	REMOVED
symfony/event-dispatcher-contracts	v1.1.5	REMOVED
doctrine/cache	NEW	1.12.1
doctrine/event-manager	NEW	1.1.1
symfony/polyfill-intl-idn	NEW	v1.25.0
symfony/polyfill-intl-normalizer	NEW	v1.25.0
symfony/polyfill-php72	NEW	v1.25.0

And this table output,

+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+
| Production Changes                 | From   | To      | Compare                                                                                         |
+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+
| ~(Direct)~~~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~ | ~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| caseysoftware/marvel-helper        | 1.1.2  | 2.0.0   | https://gitlab.com/CaseySoftware/marvel-php/compare/1.1.2...2.0.0                               |
| doctrine/dbal                      | 2.2.0  | v2.9.2  | https://github.com/doctrine/dbal/compare/2.2.0...v2.9.2                                         |
| ircmaxell/random-lib               | v1.1.0 | v1.2.0  | https://github.com/ircmaxell/RandomLib/compare/v1.1.0...v1.2.0                                  |
| ircmaxell/security-lib             | 1.0.0  | v1.1.0  | https://github.com/ircmaxell/SecurityLib/compare/1.0.0...v1.1.0                                 |
| monolog/monolog                    | 1.10.0 | 895066e | https://github.com/Seldaek/monolog/compare/1.10.0...895066e                                     |
| payintegrator/afterpay             | 1.5.0  | 2.0.0   | https://bitbucket.org/afterpay-plugins/afterpay-composer-package/branches/compare/2.0.0%0D1.5.0 |
| pmjones/fake                       | 0.0.1  | 0.2.0   | https://gitlab.com/pmjones/fake/compare/0.0.1...0.2.0                                           |
| ~(Indirect)~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~ | ~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| doctrine/common                    | 2.2.3  | REMOVED |                                                                                                 |
| guzzle/guzzle                      | v3.7.4 | REMOVED |                                                                                                 |
| guzzlehttp/guzzle                  | 6.2.3  | 6.5.5   | https://github.com/guzzle/guzzle/compare/6.2.3...6.5.5                                          |
| guzzlehttp/promises                | v1.3.1 | 1.5.1   | https://github.com/guzzle/promises/compare/v1.3.1...1.5.1                                       |
| guzzlehttp/psr7                    | 1.6.1  | 1.8.3   | https://github.com/guzzle/psr7/compare/1.6.1...1.8.3                                            |
| psr/log                            | 1.1.0  | 1.1.4   | https://github.com/php-fig/log/compare/1.1.0...1.1.4                                            |
| symfony/event-dispatcher           | v4.3.3 | REMOVED |                                                                                                 |
| symfony/event-dispatcher-contracts | v1.1.5 | REMOVED |                                                                                                 |
| doctrine/cache                     | NEW    | 1.12.1  |                                                                                                 |
| doctrine/event-manager             | NEW    | 1.1.1   |                                                                                                 |
| symfony/polyfill-intl-idn          | NEW    | v1.25.0 |                                                                                                 |
| symfony/polyfill-intl-normalizer   | NEW    | v1.25.0 |                                                                                                 |
| symfony/polyfill-php72             | NEW    | v1.25.0 |                                                                                                 |
+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+

I'm not sure I like it, but I'm not coming up with any other good ideas for display right now.

[peterjaap]

@davidrjonas I like it! Maybe hide the direct/indirect header when there are none?

+----------------------------------+---------+-----------+----------------------------------------------------------------------+
| Production Changes               | From    | To        | Compare                                                              |
+----------------------------------+---------+-----------+----------------------------------------------------------------------+
| ~ Direct ~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~ | ~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| ~ Indirect ~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~ | ~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| box/spout                        | v3.3.0  | v2.7.3    | https://github.com/box/spout/compare/v3.3.0...v2.7.3                 |
| magento/module-csp               | 100.4.4 | REMOVED   |                                                                      |
| smile/elasticsuite               | 2.10.11 | 2.10.12.1 | https://github.com/Smile-SA/elasticsuite/compare/2.10.11...2.10.12.1 |
| magento/module-inventory         | NEW     | 1.2.3     |                                                                      |
| magento/module-inventory-api     | NEW     | 1.2.3     |                                                                      |
| sivaschenko/magento2-clean-media | NEW     | 1.1.1     |                                                                      |
+----------------------------------+---------+-----------+----------------------------------------------------------------------+

[peterjaap]

@davidrjonas hmm I now noticed that table is incorrect, the smile/elasticsuite and sivaschenko/magento2-clean-media packages are actually direct dependencies.