search

jakzal / phpqa

Docker image that provides static analysis tools for PHP
https://hub.docker.com/r/jakzal/phpqa/
MIT License
1.23k stars 67 forks source link

Use latest versions of tools unless a version is specified (phpstan 2.x release) #433

Open jannes-io opened 3 weeks ago

jannes-io commented 3 weeks ago

First of all, thanks for creating this docker image. I ran into an issue where locally running phpstan using phpqa was returning a different result from the github workflow shivammathur/setup-php and adding phpstan.

Turns out this image still gives an old version of phpstan.

When running phpstan with a clean pull of this docker image, I expect it to use the latest available version unless otherwise specified.

steps to reproduce:

docker pull jakzal/phpqa:php8.3-alpine
docker run --rm jakzal/phpqa:php8.3-alpine phpstan --version

current: it returns 1.12.7 (latest 1.x is 1.12.10)

expect: it returns 2.0.1

jakzal commented 2 weeks ago

I think it's because it's installed with a number of phpstan plugins that are not 2.0 ready yet:

 #124 209.5 Running composer update phpstan/phpstan phpstan/phpstan-deprecation-rules ergebnis/phpstan-rules phpstan/phpstan-strict-rules phpstan/phpstan-doctrine phpstan/phpstan-phpunit phpstan/phpstan-symfony phpstan/phpstan-beberlei-assert phpstan/phpstan-webmozart-assert pepakriz/phpstan-exception-rules phpat/phpat ekino/phpstan-banned-code
#124 209.5 [bamarni-bin] The setting "extra.bamarni-bin.bin-links" will be set to "false" from 2.x onwards. If you wish to keep it to "true", you need to set it explicitly.
#124 209.5 [bamarni-bin] The setting "extra.bamarni-bin.forward-command" will be set to "true" from 2.x onwards. If you wish to keep it to "false", you need to set it explicitly.
#124 209.5 Loading composer repositories with package information
#124 211.6 Updating dependencies
#124 211.6 Lock file operations: 13 installs, 0 updates, 0 removals
#124 211.6   - Locking ekino/phpstan-banned-code (v2.1.0)
#124 211.6   - Locking ergebnis/phpstan-rules (2.3.0)
#124 211.6   - Locking nikic/php-parser (v4.19.4)
#124 211.6   - Locking pepakriz/phpstan-exception-rules (v0.12.0)
#124 211.6   - Locking phpat/phpat (0.10.18)
#124 211.6   - Locking phpstan/phpstan (1.12.11)
#124 211.6   - Locking phpstan/phpstan-beberlei-assert (1.1.3)
#124 211.6   - Locking phpstan/phpstan-deprecation-rules (1.2.1)
#124 211.6   - Locking phpstan/phpstan-doctrine (1.5.6)
#124 211.6   - Locking phpstan/phpstan-phpunit (1.4.1)
#124 211.6   - Locking phpstan/phpstan-strict-rules (1.6.1)
#124 211.6   - Locking phpstan/phpstan-symfony (1.4.12)
#124 211.6   - Locking phpstan/phpstan-webmozart-assert (1.2.11)

As soon as they're all 2.0 compatible, phpstan will be automatically updated.

jannes-io commented 2 weeks ago

You have to define the plugins that you'd like to use in phpstan.neon:

includes:
    - vendor/phpstan/phpstan-symfony/extension.neon
    - vendor/phpstan/phpstan-symfony/rules.neon

So doesn't it make sense that it's up to the user themself to bring in these dependencies through their own composer.json's require-dev?

I.E.:

    "require-dev": {
        "phpstan/phpstan-symfony": "^2.0"
    },
jakzal commented 2 weeks ago

@jannes-io yes, I think if your project requires phpstan and/or plugins, you should just install it in your own composer.json.