`composer update` pulls in packages ignoring `require.php` constraints #11164

herndlm · 2022-10-31T09:56:01Z

herndlm
Oct 31, 2022

I have ^7.4 || ^8.0 as php constraint and would expect that this leads to packages being installed that are compatible with PHP 7.4, right? Or am I misunderstanding something? I don't have much experience with supporting multiple PHP versions yet tbh :)

Concrete problem case
E.g. the composer.json

{
    "name": "herndlm/composer-update-constraints",
    "type": "library",
    "require": {
        "php": "^7.4 || ^8.0",
        "league/commonmark": "^2.3"
    },
    "autoload": {
        "psr-4": {
            "Herndlm\\ComposerUpdateConstraints\\": "src/"
        }
    }
}

installs the indirect dependency symfony/deprecation-contracts in version 2.* with PHP 7.4, but when I switch to PHP 8.1, it starts installing symfony/deprecation-contracts in version 3.* which is incompatible with 7.4.

I created a reproducer at https://github.com/herndlm/composer-update-constraints and let Renovate update the lockfile in https://github.com/herndlm/composer-update-constraints/ 8000 pull/3/files#r1009228391. It does that using the latest composer (2.4.4) and latest PHP (8.1.12) that are in reach for me using the following command: composer update --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins

Answered by mad-briller

Nov 1, 2022

from my experience composer always installs the highest version of packages that are compatible with the system's version of php and the ^7.4 || ^8.0 in the root package is used to print warnings if trying to run composer update on a machine without a satisfactory version:

the docs allude to this behaviour, implying that the php constraint is for the user:

php represents the PHP version of the user

i currently have to support packages for 7.4 and 8.1, and to work with this i install both versions of php locally and use the following commands:

php7.4 $(which composer) update
php8.1 $(which composer) update

it's worth noting that the php constraint is considered when requiring packages in…

View full answer

mad-briller · 2022-11-01T09:03:42Z

mad-briller
Nov 1, 2022

from my experience composer always installs the highest version of packages that are compatible with the system's version of php and the ^7.4 || ^8.0 in the root package is used to print warnings if trying to run composer update on a machine without a satisfactory version:

the docs allude to this behaviour, implying that the php constraint is for the user:

php represents the PHP version of the user

i currently have to support packages for 7.4 and 8.1, and to work with this i install both versions of php locally and use the following commands:

php7.4 $(which composer) update
php8.1 $(which composer) update

it's worth noting that the php constraint is considered when requiring packages into the root package, so for example if you run with php7.4, composer wont install packages versions with php: ^8.0 in their composer.json

8000

2 replies

herndlm Nov 1, 2022
Author

I was really not expecting it to work like that, but https://getcomposer.org/doc/articles/composer-platform-dependencies.md#what-are-platform-dependencies also has an example that shows how it works internally and I can see now how this happens. That means 8.1 will break the lockfile basically and I have to run it with the lowest supported php version or define a platform constraint :/

Seldaek Nov 3, 2022
Maintainer

Yup, best is to define config.platform.php IMO. Or do not ship a lock file if it's a library that can be used with several PHP versions..

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

`composer update` pulls in packages ignoring `require.php` constraints #11164

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

composer update pulls in packages ignoring require.php constraints #11164

Uh oh!

Uh oh!

herndlm Oct 31, 2022

Replies: 1 comment · 2 replies

Uh oh!

Uh oh!

mad-briller Nov 1, 2022

Uh oh!

herndlm Nov 1, 2022 Author

Uh oh!

Seldaek Nov 3, 2022 Maintainer

`composer update` pulls in packages ignoring `require.php` constraints #11164

herndlm
Oct 31, 2022

Replies: 1 comment 2 replies

mad-briller
Nov 1, 2022

herndlm Nov 1, 2022
Author

Seldaek Nov 3, 2022
Maintainer