webflo/drupal-core-require-dev

Make drupal/core dependency less restrictive?

hawkeyetwolf opened this issue · 10 comments

Because the dependency on drupal/core is pegged to an exact version (e.g., 8.5.2), it is not possible to upgrade to the next version of drupal core (e.g., for a security upgrade) until the next version of webflo/drupal-core-require-dev has also been released. This is okay as long as you, @webflo, or another delegated party is right on top of the drupal core release cycles (and I'm sure you will be—great job so far!), but I wonder if it would be wise to make the drupal/core requirement less restrictive (e.g., ^8.5.2)? That would allow upgrading even if this package gets delayed, for any reason.

dxii commented

@derekderaps workaround is either running this command, composer require --dev webflo/drupal-core-require-dev ~8.5.2 or composer update drupal/core webflo/drupal-core-require-dev --with-dependencies

@dxii, the 8.5.3 tag of this project was created about 15-30 minutes after the Drupal core release came out, so you should not be seeing this error anymore. However, on one of my sites, the standard update command wouldn't work until I had changed the dependency versions. This doesn't make sense, and wasn't necessary on other sites of mine, but here you go in case it's helpful:

composer require --no-update drupal/core:~8.5.3
composer require --dev --no-update webflo/drupal-core-require-dev:~8.5.3
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies

This bug also causes a much more problematic issue on production sites built via composer install --no-dev

When you go to update core via composer update drupal/core --with-dependencies --no-dev core does not update.

If you check why-not composer why-not drupal/core:8.5.3 then it lies to you There is no installed package depending on "drupal/core" in versions not matching 8.5.3

If you check your composer.lock file there is an entry for webflo/drupal-core-require-dev which includes "require": { "drupal/core": "8.5.2" } even though you never installed anything from require-dev

The only way to update core at this point is to run composer update drupal/core webflo/drupal-core-require-dev --with-dependencies --no-dev which installs drupal/core but not webflo/drupal-core-require-dev

I have verified this on a fresh install using composer create-project drupal-composer/drupal-project:8.x-dev some-dir --stability dev --no-interaction --no-dev

Maybe not spot on for this issue, but how did we end up with

composer update drupal/core webflo/drupal-core-require-dev --with-dependencies

for updating Drupal core instead of just

composer update drupal/core --with-dependencies

This is not very user-friendly.

Today I'm trying to upgrade my Raspberry Pi Dramble codebase to Drupal 8.6.0, but when I run composer update or the full recommended command as in the comment above, it sticks to 8.5.7. Running composer prohibits:

$ composer prohibits drupal/core:8.6.0
drupal-composer/drupal-project  dev-master  requires  drupal/core (~8.5.3)  
webflo/drupal-core-require-dev  8.5.7       requires  drupal/core (8.5.7) 

Update the version of webflo/drupal-core-require-dev. The 8.6 tag is already out:

Update composer.json:
"require-dev": { "webflo/drupal-core-require-dev": "~8.6" },

After that execute
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies --no-dev

@zuuperman - It looks like the defaults were to use ~8.5.3 for drupal core and something similarly restrictive for this dependency (the tilde plus the minor version inclusion means it won't ever allow updating beyond 8.5.x!). I changed those following the example of this recently merged PR (drupal-composer/drupal-project#424) and did another composer update and things started working.

composer update drupal/core webflo/drupal-core-require-dev --with-dependencies

I had to do the same thing today to go from 8.6.9 to 8.6.10. It's not very clear or easy to figure out why you cannot update a minor version without that command.

Just ran into the same thing with 8.6.15 to 8.6.16. Agree that it would be nice if this were less restrictive

I decided that it's easier to just remove the dependency from my project composer.json and then just add it in if I need to write and run tests.

Can not currently update to 8.7.12 security update.