Circular composer dependents cause timeout

[janmartenjongerius]

Description

When a project gets analyzed and its dependencies have circular dependents, the DependencyFilter will cause a timeout, because it asks Composer to resolve the list of dependents recursively.

Steps to Reproduce

For now it seems to happen for this combination of requirements:

{
    "require": {
        "php": "^7.1",
        "jyxon/gdpr-cookie-compliance": "^1.1",
        "magento/framework": "^100.0|^101.0",
        "magento/module-backend": "^100.2",
        "magento/module-cms": "^102.0",
        "magento/module-config": "^101.0",
        "magento/module-store": "^100.2",
        "magento/module-theme": "^100.2",
        "magento/module-ui": "^101.0",
        "magento/module-widget": "^101.0",
        "symfony/console": "^2.8"
    }
}

1. Install DependencyGuard in a project that has circular package links
2. Execute DependencyGuard

Expected behavior:

DependencyGuard finishes analysis as normal.

Actual behavior:

DependencyGuard reaches a process timeout or creates a segmentation fault.

Reproduces how often:

100% of the time, for affected packages.

Versions

1.0.6 | dev-master

[janmartenjongerius]

A regression test has been added in branch issue/33, which can be invoked by running:

php7.1 vendor/bin/phpunit tests/Regression/Issue33/Issue33Test.php

This will show that a timeout set to 5 seconds is exceeded. When diving into the issue, the problem comes from invoking:

$this->repository->getDependents(
    $violation->getPackage()->getName()
)

Inside \Mediact\DependencyGuard\Violation\Filter\DependencyFilter::__invoke

It is important that PHP 7.1 is used, because of the lower limit to DependencyGuard and the upper limit of Magento compatibility.