phenaproxima
commented
3 months ago Looks like the upstream bug was fixed in Composer: https://github.com/composer/composer/issues/11704.
Do we want to just close this out?
Closed phenaproxima closed 3 months ago
phenaproxima
commented
3 months ago Looks like the upstream bug was fixed in Composer: https://github.com/composer/composer/issues/11704.
Do we want to just close this out?
phenaproxima
commented
3 months ago Here's how we could test this out manually. In a Drupal project (just a regular recommended-project will do), running composer update -vvv should NOT have requests like this in it:
Downloading https://packages.drupal.org/files/packages/8/p2/consolidation/annotated-command.jsonThat's an example of Composer asking a repository for info on a package it does not have, and never has.
phenaproxima
commented
3 months ago Can confirm that, testing manually with Composer 2.7.7, I didn't see any of those bad requests.
I discovered why Composer makes so many extra requests for packages that are not part of a particular repository (as surfaced in https://github.com/composer/composer/issues/11704 and https://github.com/php-tuf/drupal-project/pull/1) --
composer requireandcomposer updatewill do a security audit by default, unless you pass the--no-auditoption. While auditing, repositories that support it are queried for all packages, even ones they don't provide.To be clear, this is an upstream bug in Composer and still needs to be fixed; I will update and repurpose https://github.com/composer/composer/issues/11704. But we can work around it by overriding
ComposerRepository::getSecurityAdvisories()so that, if we are using anavailable-package-patternsfilter, we don't try to get security advisories for packages we don't provide.