search

fxpio / foxy

A fast, reliable, and secure NPM/Yarn/pnpm bridge for Composer
https://foxypkg.com
MIT License
173 stars 21 forks source link

Removing composer.lock #34

Closed rdss-sknott closed 4 years ago

rdss-sknott commented 4 years ago

The composer.lock is not up to date with what would be installed following the settings of composer.json.

As the composer.lock will be ignored when foxy is installed as a library this does not affect the enduser. Only the restrictions of the composer.json matter. But if you 'composer install' in a development context of foxy the composer.lock forces installation of out of date libraries. This is resulting in a development environment which is not reflecting the enduser environment. In this case the diff is as follows

Dev Changes From To
composer/composer d173af2 9d5051f
composer/semver 2.0.0 3.0.0
composer/xdebug-handler 1.4.1 1.4.2
justinrainbow/json-schema 5.2.9 5.2.10
react/promise v2.7.1 v2.8.0
seld/jsonlint 1.7.2 1.8.0
symfony/console v5.0.7 v5.1.1
symfony/filesystem v5.0.7 v5.1.1
symfony/finder v5.0.7 v5.1.1
symfony/polyfill-ctype v1.15.0 v1.17.0
symfony/polyfill-mbstring v1.15.0 v1.17.0
symfony/polyfill-php73 v1.15.0 v1.17.0
symfony/process v5.0.7 v5.1.1
symfony/service-contracts v2.0.1 v2.1.2
symfony/polyfill-intl-grapheme NEW v1.17.0
symfony/polyfill-intl-normalizer NEW v1.17.0
symfony/polyfill-php80 NEW v1.17.0
symfony/string NEW v5.1.1

Therefore I hereby request to remove composer.lock.

coveralls commented 4 years ago

Coverage Status

Coverage remained the same at 100.0% when pulling 087742585b3151cf391f8400c5c1a8e4db199489 on ZooRoyal:remove-composer-lock into 9810febad6e6a34d645e91d9720804e42c80ad35 on fxpio:master.

rdss-sknott commented 4 years ago

I'm kind of puzzled by the result of Scrutinizer. I am no expert for this system. It seams to me that Scrutinizer switched to a new build system in 2017 and did not update composer in it's old system. This results in Scrutinizer not being able to install composer-plugin-api higher than 1.0.0.

@francoispluchino I'm kind of stuck here. Shall I update the .scrutinizer.yml to switch over to the new build System? Shall I deactivate the check connected with the old composer installation? Should I just let go of the composer.lock issue?

francoispluchino commented 4 years ago

The composer.lock file is precisely present to guarantee the reproducibility of the tests regardless of when they are run. This greatly facilitates debugging when you update dependencies.

In 2012, the Composer team made a modification of the documentation to indicate that the composer.lock file was not mandatory for libraries (see the issue composer/composer#504 et le commit composer/composer@d0cfe35265310c4013d15fe71c8fe8366e2b221a). However the documentation continues to recommend its use to facilitate testing over time (see the documentation for the version 2.0 Alpha 1).

In addition, as you indicate, as well as the Composer documentation, this file is only used for the development of this project, so, it does not in any way affect its use in other projects. It is there by choice, so there is no need to delete it.

Thanking you for your contribution :-)