Closed
Description
Since Composer 2.0.0 (still present in 2.0.12), packages that are present in the composer.json but are not locked in the composer.lock or installed in the vendor folder are not correctly detected as an out of sync lock file, or resolved when running composer update nothing or composer update --lock. In composer 1.10.21 and before, this behaviour was correct.
Reproduction
- Create a new folder with this composer.json:
{
"name": "reproduction/reproduction",
"description": "reproduction",
"license": "MIT",
"require": {
"php": "^7.4"
}
}- Run
composer updateto generate an up to date lock file. - Add an extra dependency manually in the composer.json file (For example a dependency to
"composer/semver": "^3.0")
This is not the correct way to add a dependency, but the composer.json and composer.lock might get out of sync in invalid merges, or editors like phpstorm suggest edits to the composer.json without updating the lock file etc.
- Run
composer validate. An error about an out of date lock file is displayed:
The lock file is not up to date with the latest changes in composer.json, it is recommended that you run `composer update` or `composer update <package name>`. - Run
composer u nothingorcomposer u --lock - Run
composer validate. The warning is now gone implicating the lock file is up to date. The lock file is not up to date however as dependencies from the composer.json are not in the lock file or installed into the vendor folder.
Expected behaviour
- When a package is present in the
composer.jsonfile but not locked in thecomposer.lockfile a warning is displayed when runningcomposer validate. - When
composer update nothingorcomposer update --lockis ran, the package is installed and added to the lock file (How this previously worked in v1.*) or a warning is displayed to not manually add to thecomposer.jsonfile with a message to runcomposer require vendor/package-nameto require the package correctly and fix the discrepancy between the two files.