Composer installs outdated version of NPM package

[dmitry-kulikov]

Composer installs outdated version of NPM package jsoneditor. This issue may be not easy to reproduce, I guess you will need backup of Asset Packagist's database before 2021-05-02 13:00 UTC, see below why.

composer.json:

{
    "name": "test/asset-packagist",
    "description": "Test asset-packagist.org",
    "require": {
        "npm-asset/jsoneditor": ">=5.0 <10.0"
    },
    "minimum-stability": "dev",
    "prefer-stable": true,
    "repositories": [
        {
            "type": "composer",
            "url": "https://asset-packagist.org"
        }
    ],
    "config": {
        "fxp-asset": {
            "enabled": false
        },
        "process-timeout": 1800
    }
}

Expected version of jsoneditor is 9.4.1 (https://www.npmjs.com/package/jsoneditor). Installed version of jsoneditor is 9.1.1.

Resulting composer.lock:

{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "0ca1ed1b1c3e5b0a328134cebb67f65b",
    "packages": [
        {
            "name": "npm-asset/ace-builds",
            "version": "1.4.12",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.4.12.tgz"
            },
            "type": "npm-asset",
            "license": [
                "BSD-3-Clause"
            ]
        },
        {
            "name": "npm-asset/ajv",
            "version": "6.12.5",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/ajv/-/ajv-6.12.5.tgz"
            },
            "require": {
                "npm-asset/fast-deep-equal": ">=3.1.1,<4.0.0",
                "npm-asset/fast-json-stable-stringify": ">=2.0.0,<3.0.0",
                "npm-asset/json-schema-traverse": ">=0.4.1,<0.5.0",
                "npm-asset/uri-js": ">=4.2.2,<5.0.0"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/fast-deep-equal",
            "version": "3.1.3",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/fast-json-stable-stringify",
            "version": "2.1.0",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/javascript-natural-sort",
            "version": "0.7.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/javascript-natural-sort/-/javascript-natural-sort-0.7.1.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/jmespath",
            "version": "0.15.0",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/jmespath/-/jmespath-0.15.0.tgz"
            },
            "type": "npm-asset"
        },
        {
            "name": "npm-asset/json-schema-traverse",
            "version": "0.4.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/json-source-map",
            "version": "0.6.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/json-source-map/-/json-source-map-0.6.1.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/jsoneditor",
            "version": "9.1.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/jsoneditor/-/jsoneditor-9.1.1.tgz"
            },
            "require": {
                "npm-asset/ace-builds": ">=1.4.12,<2.0.0",
                "npm-asset/ajv": ">=6.12.5,<7.0.0",
                "npm-asset/javascript-natural-sort": ">=0.7.1,<0.8.0",
                "npm-asset/jmespath": ">=0.15.0,<0.16.0",
                "npm-asset/json-source-map": ">=0.6.1,<0.7.0",
                "npm-asset/mobius1-selectr": ">=2.4.13,<3.0.0",
                "npm-asset/picomodal": ">=3.0.0,<4.0.0",
                "npm-asset/vanilla-picker": ">=2.10.1,<3.0.0"
            },
            "type": "npm-asset",
            "license": [
                "Apache-2.0"
            ]
        },
        {
            "name": "npm-asset/mobius1-selectr",
            "version": "2.4.13",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/mobius1-selectr/-/mobius1-selectr-2.4.13.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/picomodal",
            "version": "3.0.0",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/picomodal/-/picomodal-3.0.0.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/punycode",
            "version": "2.1.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz"
            },
            "type": "npm-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "npm-asset/sphinxxxx--color-conversion",
            "version": "2.2.2",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/@sphinxxxx/color-conversion/-/color-conversion-2.2.2.tgz"
            },
            "type": "npm-asset",
            "license": [
                "ISC"
            ]
        },
        {
            "name": "npm-asset/uri-js",
            "version": "4.4.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz"
            },
            "require": {
                "npm-asset/punycode": ">=2.1.0,<3.0.0"
            },
            "type": "npm-asset",
            "license": [
                "BSD-2-Clause"
            ]
        },
        {
            "name": "npm-asset/vanilla-picker",
            "version": "2.10.1",
            "dist": {
                "type": "tar",
                "url": "https://registry.npmjs.org/vanilla-picker/-/vanilla-picker-2.10.1.tgz"
            },
            "require": {
                "npm-asset/sphinxxxx--color-conversion": ">=2.2.2,<3.0.0"
            },
            "type": "npm-asset",
            "license": [
                "ISC"
            ]
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "dev",
    "stability-flags": [],
    "prefer-stable": true,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": [],
    "plugin-api-version": "1.1.0"
}

I checked whether Asset Packagist knows about version 9.4.1:

and then executed composer update but still 9.1.1 was installed.

I thought that probably something happened since version 9.1.2 of jsoneditor: https://github.com/josdejong/jsoneditor/blob/develop/HISTORY.md#2020-11-07-version-912

• ajv updated to 6.12.6,
• introduced simple-json-repair.

I checked status of these packages in Asset Packagist:

• https://asset-packagist.org/package/npm-asset/simple-json-repair
• https://asset-packagist.org/package/npm-asset/ajv

and then executed composer update:

$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 2 updates, 0 removals
  - Installing npm-asset/simple-json-repair (1.1.1): Downloading (100%)         
  - Updating npm-asset/ajv (6.12.5 => 6.12.6): Loading from cache
  - Updating npm-asset/jsoneditor (9.1.1 => 9.1.2): Downloading (100%)         
Writing lock file
Generating autoload files

Seems to be Asset Packagist was missing one of these packages simple-json-repair 1.1.1 or ajv 6.12.6 and Composer was unable to resolve dependencies. Still we need jsoneditor 9.4.1, not 9.1.2.

Let's check changelog for jsoneditor 9.1.3: https://github.com/josdejong/jsoneditor/blob/develop/HISTORY.md#2020-11-19-version-913

• vanilla-picker updated to 2.11.0.

As before I visited

• https://asset-packagist.org/package/npm-asset/vanilla-picker

and then executed composer update:

$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 2 updates, 1 removal
  - Removing npm-asset/simple-json-repair (1.1.1)
  - Updating npm-asset/vanilla-picker (2.10.1 => 2.11.2): Loading from cache
  - Installing npm-asset/jsonrepair (2.2.0): Downloading (100%)         
  - Updating npm-asset/jsoneditor (9.1.2 => 9.4.1): Downloading (100%)         
Writing lock file
Generating autoload files

Apparently Asset Packagist was missing vanilla-picker 2.11.*. Although now installation of jsoneditor works well, I believe this situation is wrong because it may lead to installation of outdated versions and manual check may be complicated. Actually jsoneditor is dependency in PHP package, which then included in project.

You could notice "Loading from cache" above, e.g.:

  - Updating npm-asset/vanilla-picker (2.10.1 => 2.11.2): Loading from cache

it is because I used fxpio/composer-asset-plugin before and now I'm trying to migrate to Asset Packagist. Please note that composer.json contains

"fxp-asset": {
    "enabled": false
},

so I don't think it interferes. No other Composer plugins installed. Composer version 1.10.22 2021-04-27 13:10:45. PHP 7.2.33.