vtsykun / packeton

:package: Private, self-hosted Packagist/Composer/Satis repository with unlimited private repos.
https://demo.packeton.org
MIT License
411 stars 63 forks source link

Locking pacage to specific hash does not work #266

Closed mikk150 closed 1 month ago

mikk150 commented 2 months ago

Description

If I want to lock package that is being hosted in packeton to specific commit, it states that reference is commit I locked it to, but dist zip is still referencing to newest zip that packeton knows of

To reproduce:

  1. Make composer.json file
    {
    "name": "mikk/packeton-bug",
    "type": "project",
    "minimum-stability": "dev",
    "require": {
    "phpstan/phpstan-src": "1.12.x-dev#285ca8b7117a46008039adea0c4806c7d52f21dc"
    },
    "repositories": [
    {
      "type": "composer",
      "url": "https://demo.packeton.org"
    }
    ]
    }
  2. install this project
  3. observe in composer.lock how zipball is referencing wrong commit

Can you reproduce the bug on the Packeton demo site?

Yes

Database

MySQL

Screenshots

No response

How are you running Packeton?

Kubernetes cluster

f3l1x commented 2 months ago

Hi @mikk150, we are facing same issue, but with branch-alias. Need to do composer update <package>. I think it's the same as you described.

vtsykun commented 1 month ago

Hi @mikk150

I investigated the issue and this bug happens because composer has hardcoded the regex to replace the dist url commit reference in his library.

Preg::isMatch('{^https?://(?:(?:www\.)?bitbucket\.org|(api\.)?github\.com|(?:www\.)?gitlab\.com)/}i', $this->getDistUrl())

....
$this->setDistUrl(Preg::replace('{(?<=/|sha=)[a-f0-9]{40}(?=/|$)}i', $reference, $this->getDistUrl()));

https://github.com/composer/composer/blob/6778f1f79a56926e4c6131f7c30358ff2c301669/src/Composer/Package/Package.php#L645-L660

But I found a workaround for this issue, I'll change root composer metadata format to support mirrors urls.

For example

// /packages.json


{
    "packages": [],
    "notify": "/downloads/%package%",
    "notify-batch": "/downloads/",
    "metadata-changes-url": "/metadata/changes.json",
    "mirrors": [
        {
            "dist-url": "https://pkg8.loc/zipball/%package%/%reference%.%type%",
            "preferred": true
        }
    ],
    "metadata-url": "/p2/%package%.json",
    "available-packages": [  ],
    "providers-lazy-url": "/p/%package%.json"
}

And composer.lock will be looks like this

        {
            "name": "phpstan/phpstan-src",
            "version": "1.12.x-dev",
            "source": {
                "type": "git",
                "url": "https://github.com/phpstan/phpstan-src.git",
                "reference": "285ca8b7117a46008039adea0c4806c7d52f21dc"
            },
            "dist": {
                "type": "zip",
                "url": "https://pkg8.loc/zipball/phpstan/phpstan-src/2507e387c57b5b9577ee8d02226650880b731697.zip",
                "reference": "285ca8b7117a46008039adea0c4806c7d52f21dc",
                "mirrors": [
                    {
                        "url": "https://pkg8.loc/zipball/%package%/%reference%.%type%",
                        "preferred": true
                    }
                ]
            },