Transitive dependency forces dev dependency installation #12412

kevin-kortum-trustedshops · 2025-05-16T08:26:00Z

My composer.json:

{
    "name": "acme/my-shopware-plugin",
    "type": "shopware-plugin",
    "license": "proprietary",
    "require": {
        "ramsey/uuid": "^4.2"
    },
    "require-dev": {
        "shopware/shopware": "5.7.18"
    }
}

Output of composer diagnose:

composer diagnose
Checking composer.json: OK
Checking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.39.5
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK expires on 2025-08-22 22:00:00 UTC
Checking disk free space: OK
Checking pubkeys: FAIL
Missing pubkey for tags verification
Missing pubkey for dev verification
Run composer self-update --update-keys to set them up
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.8.9
PHP version: 8.2.28
PHP binary path: /usr/local/bin/php
OpenSSL version: OpenSSL 3.0.15 3 Sep 2024
curl version: 7.88.1 libz 1.2.13 brotli 1.0.9 zstd supported ssl OpenSSL/3.0.15
zip: extension present, unzip present, 7-Zip not available

When I run this command:

composer install --no-dev -vvv

I get the following output:

Running 2.8.9 (2025-05-13 14:01:37) with PHP 8.2.28 on Linux / 6.10.14-linuxkit
Reading ./composer.json (/srv/app/composer.json)
Loading config file /root/.composer/config.json
Loading config file /root/.composer/auth.json
Loading config file ./composer.json (/srv/app/composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/srv/app): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing async command (/srv/app): 'git' 'rev-list' 'main..feat/updated-and-dry-the-pipeline'
Executing async command (/srv/app): 'git' 'rev-list' 'develop..feat/updated-and-dry-the-pipeline'
Executing async command (/srv/app): 'git' 'rev-list' 'remotes/origin/main..feat/updated-and-dry-the-pipeline'
Executing async command (/srv/app): 'git' 'rev-list' 'remotes/origin/develop..feat/updated-and-dry-the-pipeline'
Failed to initialize global composer: Composer could not find the config file: /root/.composer/composer.json

Reading ./composer.lock (/srv/app/composer.lock)
Reading /srv/app/vendor/composer/installed.json
Installing dependencies from lock file
Verifying lock file contents can be installed on current platform.
Reading ./composer.lock (/srv/app/composer.lock)
Built pool.
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Nothing to install, update or remove
Package google/crc32 is abandoned, you should avoid using it. No replacement was suggested.
Package symfony/debug is abandoned, you should avoid using it. Use symfony/error-handler instead.
Generating autoload files
66 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

And I expected this to happen:
Removal of all dependencies that are installed through the sole dev dependency.

The shopware dependency also depends on the ramsey/uuid package. As soon as i add it to the requirements, whenever i run composer install --no-dev the shopware package is installed along with all of its dependencies. My expectation would be that only the uuid package is provided. The composer.lock file reflects this change as the packages-dev array is empty.

I don't know it this is expected behavior, but as from my user perspective I am quite surprised.

The text was updated successfully, but these errors were encountered:

GrzegorzDrozd · 2025-05-23T18:26:16Z

I see the same issue.

When I fetch this repo: https://github.com/opentelemetry-php/contrib-auto-pdo/blob/main/composer.json and run:

php -f ../../composer.phar install --no-dev --no-suggest

I still see in the output:

- Locking open-telemetry/sdk (1.5.0)

When i run:

php -f ../../composer.phar depends --locked open-telemetry/sdk
open-telemetry/opentelemetry-auto-pdo dev-main requires (for development) open-telemetry/sdk (^1.0)    
open-telemetry/api                    1.3.0    conflicts                  open-telemetry/sdk (<=1.0.8)

Diagnose:

php -f ../../composer.phar diagnose
Checking composer.json: OK
Checking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.43.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK does not expire
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.8.9
PHP version: 8.2.28
PHP binary path: /usr/bin/php8.2
OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
curl version: 8.5.0 libz 1.3 brotli 1.1.0 zstd supported ssl OpenSSL/3.0.13
zip: extension present, unzip present, 7-Zip present (7z)

Seldaek · 2025-05-26T14:10:31Z

Ok this took me a while to realize what was going on 🙈 but the good news (for me..) is there is no bug.

The root cause is this:

$ c why symfony/polyfill-ctype
ramsey/uuid         4.2.3   requires symfony/polyfill-ctype (^1.8)
shopware/shopware   v5.7.18 replaces symfony/polyfill-ctype (*)

Since shopware decides to replace the symfony polyfills that it doesn't need, but ramsey/uuid actually needs those.. This means that within the installed dependencies ramsey/uuid actually ends up depending on shopware, which is why it pulls it up into the non-dev requirements.

If you pin the ramsey/uuid to 4.2.3 (to keep things simpler) and then remove the shopware requirement and run an update you will see this:

Lock file operations: 1 install, 0 updates, 96 removals
  - Removing aws/aws-crt-php (v1.2.7)
  - Removing aws/aws-sdk-php (3.337.3)
  - Removing bcremer/line-reader (1.3.0)
  - [...]
  - Removing voku/portable-utf8 (6.0.13)
  - Removing wikimedia/less.php (v4.1.0)
  - Locking symfony/polyfill-ctype (v1.32.0)

So you see in that case it ends up adding the missing polyfill. But when trying to figure out which packages are dev requirements and which are not, it doesn't have access to symfony/polyfill-ctype because that would create a corrupt lock file as installing it without shopware but without the polyfill would not fulfill ramsey/uuid's requirements. So we compute things without considering other packages than those we currently have selected when resolving all dependencies together, and then it fails to remove shopware as it is needed.

I hope this explanation is understandable to everyone here. Anyway the only solution would be for shopware to drop these replaces. If we resolve #7557 that would be much easier to sell them as the replaces would become entirely useless. But right now up to them if they think this issue is more important than wasting a few bytes with polyfills installed.

Seldaek closed this as completed May 26, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Transitive dependency forces dev dependency installation #12412

Transitive dependency forces dev dependency installation #12412

Uh oh!

Uh oh!

Uh oh!

Transitive dependency forces dev dependency installation #12412

Transitive dependency forces dev dependency installation #12412

Comments

Uh oh!

Uh oh!