Symfony package versions not restricted by SYMFONY_REQUIRE environment variable

[ncoleshaw-oncorps]

The flex plugin reads the value of SYMFONY_REQUIRE from the environment and may use this value to report that packages in "symfony/symfony" have been restricted, but PackageResolver ignores this environment variable and instead attempts to obtain the symfony.require version directly from the root package's composer.json file.

Steps to reproduce:

• Set SYMFONY_REQUIRE environment variable
  • e.g. export SYMFONY_REQUIRE=5.4.*
• Verify that the variable is set
  • printenv | grep SYMFONY_REQUIRE
• Make sure extra.symfony.version is not set in the root composer.json
• Make sure symfony/framework is not in the requires list in the root composer.json
• Require a package in symfony/symfony
  • e.g. composer require symfony/serializer

Expected result: For the above example, symfony/serializer 5.4.* is added to the requires list, and the latest patch version corresponding to that version constraint is installed.

Actual result: For the above example, Flex reports Restricting packages listed in "symfony/symfony" to "5.4.*" but the most recent available version of symfony/serializer (^6.1 at the time of writing) is installed.

This issue appears to be referenced in https://github.com/symfony/flex/issues/933

[nicolas-grekas]

I'm sorry but I'm unable to reproduce using your instructions.

[dbu]

works fine for me. are you sure that you allow composer to execute the plugin? in a github action, i do this:

            - name: "Require flex"
              run: |
                composer require --no-update symfony/flex
                composer config --no-plugins allow-plugins.symfony/flex true

(and i think given the age of the issue, this could be closed)