Merged packages are not updated by Dependabot and are actually removed

[driskell]

Hello

We've discovered that dependabot is not aware of the merged requirements or repositories added by composer-merge-plugin. This is intentional as dependabot does not run plugin scripts and likely never will. So in a way the two are not compatible.

Worst still, however, is that Dependabot's composer update will then not know about the requirements and strip them from the resulting lock file. This is intentional. As far as composer is concerned the new updated package meant these packages were no longer needed and so are removed since there is no longer a requirement for them anywhere (scripts didn't run.)

I think the way to resolve this potentially is for merge plugin to actually write the merged repository and requirements to the composer JSON file. Could this be a valid feature request?

It has two advantages:

1. Currently when you merge a composer JSON and commit - in a code review you would never see what is merged. So any new repository definitions that get added will not be reviewable. By merging into composer.json directly you would see these. This enhances the security as at the moment if you merge in a composer JSON and it gets updated you'd never know what changes happened and it could add spurious repository definitions.
2. When Dependabot or other tools run without scripts - it wouldn't matter - all requirements and repositories are in the composer JSON file.

For now we're doing the merge manually into composer JSON as it gives both benefits.

[gapple]

Related: dependabot/dependabot-core#4030

For my repositories, I've created a Github Actions Workflow that fixes up dependabot PRs with the correct lock file changes https://github.com/gapple/dpbot-merge/blob/main/.github/workflows/dependabot-composer.yml