Open marceldekoning opened 2 years ago
Hi @marceldekoning. Thank you for your report. To help us process this issue please make sure that you provided the following information:
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release
For more details, please, review the Magento Contributor Assistant documentation.
Please, add a comment to assign the issue: @magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel.
:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
:clock10: You can find the schedule on the Magento Community Calendar page.
:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.
:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel
:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel
I also had problem when upgrading from M2.4.3 to M2.4.3-p1 after composer require magento/product-community-edition=2.4.3-p1
My work around was to: (1) rm composer.lock (2) view/edit composer.json to be sure "version":"2.4.3-p1" (3) composer config -g repo.packagist composer https://packagist.org (4) composer update
I had this same weird problem after upgrading from 2.4.2 to 2.4.3. What I did to resolve this was: (1) Remove dependency "magento/composer-root-update-plugin": "^1.1" from composer.json (2) Remove composer.lock file (3) Remove vendor folder (4) Run composer install
Allright, thank you guys. Only removing "magento/composer-root-update-plugin" wasn't enough for me. I also had a package called: "magento/composer-dependency-version-audit-plugin".
After removing magento/composer-root-update-plugin, the 2tvenom/cborencode package was removed from my composer.lock but all the packages were mixed up. Didn't make any sense at all.
After removing the magento/composer-dependency-version-audit-plugin package, everything looked fine again.
I really don't know exactly what these modules suppose to do, but if they are included in the project, these weird behavior should be fixed.
@pdohogne-magento: any idea what could be going on here?
Thank you for your help!
It worked for me by removing magento/composer-dependency-version-audit-plugin
and running composer update
with composer 2 (I don't know why but with composer 1 I still had 3 packages that had the wrong URL, I could have fixed them manually but Composer 2 did it on it's own).
I've been struggling with that for a whole day until I found this post, thanks a lot!
I've observed this weird behaviour some time ago, and none of the above workarounds have worked back then, except for the following one (similar to @Axel29):
composer.lock
file or remove it completelyrm -rf vendor/*
rm -rf var/vendor/*
composer clear-cache
composer install
(composer.lock
should be OK afterwards)I've observed this weird behaviour some time ago, and none of the above workarounds have worked back then, except for the following one (similar to @Axel29):
- rollback
composer.lock
file or remove it completelyrm -rf vendor/*
rm -rf var/vendor/*
- switch to composer V2
composer clear-cache
composer install
(composer.lock
should be OK afterwards)- switch back to composer V1 - the issue should not be reproducible anymore
The problem with removing completely the composer.lock file would be that some packages could be upgraded due to version constraints in the composer.json file (example: vendor/module:^1.7
could get the v1.7.9 instead of previously locked 1.7.1).
The problem with removing completely the composer.lock file would be that some packages could be upgraded due to version constraints in the composer.json file (example:
vendor/module:^1.7
could get the v1.7.9 instead of previously locked 1.7.1).
You are absolutely correct, but that wasn't the issue for us as we struggled to get a correct version of composer.lock
file after upgrade in the first place, and we wanted other modules being upgraded anyway.
Moreover, you said you had run composer update
- which essentially updates packages listed in composer.json
to the latest versions, just like in your example ;)
I had this issue today where my Magento 2 Base was replaced by 2tvenom.
workaround: magento/composer-dependency-version-audit-plugin
composer clearcache
What a hassle.
Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).Details
If the issue has a valid description, the label Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description
label to the issue by yourself.
[ ] 3. Add Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop
branchDetails
- Add the comment @magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed
once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.
Hi @marceldekoning
We have tried to reproduce this issue but for us, it is not reproducible.
Precondition: Php 7.4 Compose 2.1.6 Magento 2.4.3
We have followed below steps
1.Installed magento version 2.4.3
composer require shipperhq/module-shipper
Composer.lock file contains correct dist and source
Please let us know if we are missing any steps here.
This is still a problem.
Just reproduced during my own Magento upgrade from 2.3.7-p2 to 2.4.3-p1.
I followed these steps in https://devdocs.magento.com/guides/v2.4/comp-mgr/cli/cli-upgrade.html
(not within the steps, but since it's a composer issue, start with composer clear-cache
)
composer require magento/composer-root-update-plugin ~2.0 --no-update
composer update
composer remove magento/product-community-edition --no-update
composer require-commerce magento/product-community-edition 2.4.3-p1 --no-update
composer update
Now composer.lock
is now full saturated of 2tvenom/cborencode.
Thanks to @jankovandeventer I could fix the composer.lock file. You cannot skip any of his steps (I tried skipping the 'remove vendor' part but it fixed it when I removed the folder, clear my composer cache, deleted composer.lock and updated it)
@JonathanBBD One note about the steps you have listed:
composer remove magento/product-community-edition --no-update composer require-commerce magento/product-community-edition 2.4.3-p1 --no-update
If you are just moving between versions and not editions (e.g. from 2.3.7-p2 to 2.4.3-p1 and not from Magento Open Source to Adobe Commerce), you don't need the remove command. I don't think that's related to the issue here, but it's worth trying. I'll see if we can get that clarified in the docs.
Also, if you ever remove composer.lock it's a good idea to remove vendor as well; composer expects vendor to be empty if there's no lock file and thus doesn't clean it properly if it still exists (it tries to do the minimum necessary for the expected state for performance).
I have same problem, it happens every time I install a new extension by composer.
Is there any chance there's a malicious nature to this? Imagine there's a fair amount of data to be gained by proxying all composer installs through a single endpoint?
For what it is worth, I just reviewed a PR of a web agency's contribution to my company's project, and when reviewing the diff for the composer.lock
file I too discovered this exact same issue was present in the PR that had been submitted.
Some searching around led me to this GitHub issue, and it relieved me (a little, not much) that others have experienced this problem too. I highly suspected something malicious was going on (still not entirely convinced there isn't...).
Despite attempting to reproduce the issue on my end with both Composer v1 and v2 I had no luck. Localhost testing showed that performing a rm -rf vendor/ && git reset --hard HEAD && composer install
with the bad lock file in place did succeed in successfully installing packages, still, I will be rejecting the PR and asking the web agency what the heck happened for the file to get this way.
Just had this occur to us on EE version going from 2.4.2 to 2.4.3. Something weird is going on with composer proxying in my opinion.
I can reproduce if I use composer 1 (1.10.24) But: https://devdocs.magento.com/guides/v2.4/install-gde/system-requirements.html Magento 2.4.3 --> "required" composer 2 Composer 1 with 2.4.3 is not in matrix of "system requirement" Perhaps the fix could be use composer 2 Same problem if you use composer 2?
I had this same weird problem after upgrading from 2.4.2 to 2.4.3. What I did to resolve this was: (1) Remove dependency "magento/composer-root-update-plugin": "^1.1" from composer.json (2) Remove composer.lock file (3) Remove vendor folder (4) Run composer install
Reproduced with Composer 1.10.25 Mage 2.4.3-p1, upon new module install, and fixed by quoted above
As this issue bothered me again, I went and tried to find something more:
I can confirm this issue using the steps in the original issue, using 'composer require picqer/php-barcode-generator' on both OSX (PHP 7.4.21 / composer 1.10.25) and WSL Ubuntu (PHP 7.4.27 / composer 1.10.23) using a fresh Magento 2.4.3.
I can also confirm that you have to delete both 'composer.lock' and 'vendor/' dir to be able to fix the issue with 'composer install'.
Here is the (final) composer.json file:
{
"name": "magento/project-community-edition",
"description": "eCommerce Platform for Growth (Community Edition)",
"type": "project",
"license": [
"OSL-3.0",
"AFL-3.0"
],
"config": {
"preferred-install": "dist",
"sort-packages": true
},
"version": "2.4.3-p1",
"require": {
"magento/composer-dependency-version-audit-plugin": "~0.1",
"magento/composer-root-update-plugin": "~1.1",
"magento/product-community-edition": "2.4.3-p1",
"picqer/php-barcode-generator": "^2.2"
},
"autoload": {
"exclude-from-classmap": [
"**/dev/**",
"**/update/**",
"**/Test/**"
],
"files": [
"app/etc/NonComposerComponentRegistration.php"
],
"psr-0": {
"": [
"app/code/",
"generated/code/"
]
},
"psr-4": {
"Magento\\": "app/code/Magento/",
"Magento\\Framework\\": "lib/internal/Magento/Framework/",
"Magento\\Setup\\": "setup/src/Magento/Setup/"
}
},
"require-dev": {
"allure-framework/allure-phpunit": "~1.4",
"dealerdirect/phpcodesniffer-composer-installer": "^0.7.0",
"friendsofphp/php-cs-fixer": "~2.18.1",
"lusitanian/oauth": "~0.8.10",
"magento/magento-coding-standard": "*",
"magento/magento2-functional-testing-framework": "^3.0",
"pdepend/pdepend": "~2.7.1",
"phpcompatibility/php-compatibility": "^9.3",
"phpmd/phpmd": "^2.8.0",
"phpstan/phpstan": "^0.12.77",
"phpunit/phpunit": "^9",
"sebastian/phpcpd": "^6.0.3",
"squizlabs/php_codesniffer": "~3.5.4",
"symfony/finder": "^5.2"
},
"conflict": {
"gene/bluefoot": "*"
},
"autoload-dev": {
"psr-4": {
"Magento\\PhpStan\\": "dev/tests/static/framework/Magento/PhpStan/",
"Magento\\Sniffs\\": "dev/tests/static/framework/Magento/Sniffs/",
"Magento\\TestFramework\\Inspection\\": "dev/tests/static/framework/Magento/TestFramework/Inspection/",
"Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/",
"Magento\\Tools\\": "dev/tools/Magento/Tools/",
"Magento\\Tools\\Sanity\\": "dev/build/publication/sanity/Magento/Tools/Sanity/"
}
},
"minimum-stability": "stable",
"prefer-stable": true,
"repositories": [
{
"type": "composer",
"url": "https://repo.magento.com/"
}
],
"extra": {
"magento-force": "override"
}
}
I can reproduce if I use composer 1 (1.10.24) But: https://devdocs.magento.com/guides/v2.4/install-gde/system-requirements.html Magento 2.4.3 --> "required" composer 2
I see composer 2 only required starting at Mage 2.4.4+, besides theres still packages not available in Composer 2 for me. Maybe it changed in the meantime.
May I stress that installing and/or updating a package takes A LOT more time with this issue around?
Please let us know if we are missing any steps here.
@engcom-Bravo You missed we're all doing this on Composer 1, which should be the version according to the documentation right now.
Furthermore I tried 'composer update' with composer-dependency-version-audit-plugin and composer-root-update-plugin REMOVED, but this didn't solve anything. I assume the others that have been lucky, accidently also deleted both the lock-file and the vendor dir
I confirm the problem on Magento Cloud 2.4.4 + composer 1.10.22 After switching to composer 2.3.2, problem solved. After switching back to composer 1.10.22, problem comes back.
Seems the issue appears only when you specify the exact version when requiring some module, for example - composer require amasty/meta:1.3.2
My STR:
And a workaround seems to be removing 'magento/composer-dependency-version-audit-plugin', as follows in the root composer.json:
"replace": {
"magento/composer-dependency-version-audit-plugin": "*"
}
composer update
for 2.4.4 version.Hi @engcom-Bravo Can you please try reproducing it again by the steps provided above?
Hi,
I got the same problem today when migrating from Community 2.3.3 to 2.4.4.
Deleting the composer.lock and vendor/* folder let the composer installation finishing.
Got the same problem. Mine's fixed by following @n2diving-dgx instructions.
Got the same issue here. The steps mentioned above didn't resolve it for me.
Magento 2.4.3-p2 - PHP 7.4.26 - composer 1.10.26
For me the fix was to replace magento/module-two-factor-auth
Hi @engcom-Dash. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.Issue: Clear Description
label to the issue by yourself.Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.2.4-develop
branch@magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure. 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).Details
If the issue has a valid description, the label Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description
label to the issue by yourself.
[ ] 3. Add Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop
branchDetails
- Add the comment @magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed
once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.
:heavy_check_mark: Issue confirmed
Issue got reproduced in 2.4.4 && 2.4.5 branch.
Description:
While installing extension all the packages in the composer.lock
file ,source and dist url are replaced with references to the 2tvenom/cborencode
package.
Pre-requisite:
Steps to reproduce:
2.4.3
to magento 2.4.4
.composer require shipperhq/module-shipper
in terminal.composer.lock
file.Expected result:
Actual result:
Screenshots:
Other package source:
Note : Same issue observed while upgrading from 2.4.4
to 2.4.5
.
Hence,confirming the issue.
:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6505 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @engcom-Lima. Thank you for verifying the issue.
Issue Available: @engcom-Lima, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
:x: Cannot export the issue. This GitHub issue is already linked to Jira issue(s): https://jira.corp.adobe.com/browse/AC-6505
Using composer 2 seems to solve the issue.
Using composer 2 seems to solve the issue.
Yes. But 2.4.3-X and 2.4.4-X has a support for Composer 1 according to the documentation (https://experienceleague.adobe.com/docs/commerce-operations/installation-guide/system-requirements.html).
And half this thread has been about making aware that this is limited to Composer 1. If we wait till EOL of 2.4.3/2.4.4 we can close this issue indeed
If you are staying with Composer 1 the Solution for me was as follows:
./vendor
and composer.lock
composer.json
to match current versions (to stop unnecessary upgrades)composer install
Some development tools (require-dev) were upgraded but otherwise I got a clean composer.lock and a stable site.
Summary
When I execute the composer require command after a clean installation, all the packages in the composer.lock file are replaced with references to the 2tvenom/cborencode package which makes it impossible afterwards to execute the composer install command because all the packages are returned 404.
Preconditions (*)
Steps to reproduce (*)
composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition
composer require a/module-b
Expected result (*)
Actual result (*)