Retrieve root package information using native APIs
Closed this issue · 4 comments
Currently getRootPackageVersion does this:
pretty-package-versions/src/PrettyVersions.php
Lines 39 to 42 in 6d9ae9a
This seems dangerous if the user hasn't given a proper name to his project, or if he's using a name that is somehow provided or replaced by some of the installed dependencies. Since the root project name has no effect it the project itself is not a redistributed library, we could leverage the InstalledVersions::getRootPackage() API directly to avoid this kind of issue.
This has been originally discovered in getsentry/sentry-symfony#435
Also, PrettyVersions::getVersion() calls InstalledVersions::getReference($packageName) which can return null: https://github.com/composer/composer/blob/master/src/Composer/InstalledVersions.php#L170, while a string is required.
This is the actual code path that produces the fatal error, as I'm sure you're already aware of. But maybe the getVersion method should guard against that?
Reference is missing for replaced and provided packages, which 2.0.1 already guard against. I don't know if there are any other situation where that value would still be missing, but I don't think so.
...aaaaand we got the repro case in record time: getsentry/sentry-symfony#435 (comment)
[EDIT] FTR, opened #34 to track that.