Make drupal/core dependency less restrictive?
hawkeyetwolf opened this issue · 10 comments
Because the dependency on drupal/core
is pegged to an exact version (e.g., 8.5.2
), it is not possible to upgrade to the next version of drupal core (e.g., for a security upgrade) until the next version of webflo/drupal-core-require-dev
has also been released. This is okay as long as you, @webflo, or another delegated party is right on top of the drupal core release cycles (and I'm sure you will be—great job so far!), but I wonder if it would be wise to make the drupal/core
requirement less restrictive (e.g., ^8.5.2
)? That would allow upgrading even if this package gets delayed, for any reason.
@derekderaps workaround is either running this command, composer require --dev webflo/drupal-core-require-dev ~8.5.2 or composer update drupal/core webflo/drupal-core-require-dev --with-dependencies
@dxii, the 8.5.3
tag of this project was created about 15-30 minutes after the Drupal core release came out, so you should not be seeing this error anymore. However, on one of my sites, the standard update command wouldn't work until I had changed the dependency versions. This doesn't make sense, and wasn't necessary on other sites of mine, but here you go in case it's helpful:
composer require --no-update drupal/core:~8.5.3
composer require --dev --no-update webflo/drupal-core-require-dev:~8.5.3
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies
This bug also causes a much more problematic issue on production sites built via composer install --no-dev
When you go to update core via composer update drupal/core --with-dependencies --no-dev
core does not update.
If you check why-not composer why-not drupal/core:8.5.3
then it lies to you There is no installed package depending on "drupal/core" in versions not matching 8.5.3
If you check your composer.lock file there is an entry for webflo/drupal-core-require-dev which includes "require": { "drupal/core": "8.5.2" }
even though you never installed anything from require-dev
The only way to update core at this point is to run composer update drupal/core webflo/drupal-core-require-dev --with-dependencies --no-dev
which installs drupal/core but not webflo/drupal-core-require-dev
I have verified this on a fresh install using composer create-project drupal-composer/drupal-project:8.x-dev some-dir --stability dev --no-interaction --no-dev
Maybe not spot on for this issue, but how did we end up with
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies
for updating Drupal core instead of just
composer update drupal/core --with-dependencies
This is not very user-friendly.
Today I'm trying to upgrade my Raspberry Pi Dramble codebase to Drupal 8.6.0, but when I run composer update
or the full recommended command as in the comment above, it sticks to 8.5.7. Running composer prohibits
:
$ composer prohibits drupal/core:8.6.0
drupal-composer/drupal-project dev-master requires drupal/core (~8.5.3)
webflo/drupal-core-require-dev 8.5.7 requires drupal/core (8.5.7)
Update the version of webflo/drupal-core-require-dev. The 8.6 tag is already out:
Update composer.json:
"require-dev": { "webflo/drupal-core-require-dev": "~8.6" },
After that execute
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies --no-dev
@zuuperman - It looks like the defaults were to use ~8.5.3
for drupal core and something similarly restrictive for this dependency (the tilde plus the minor version inclusion means it won't ever allow updating beyond 8.5.x!). I changed those following the example of this recently merged PR (drupal-composer/drupal-project#424) and did another composer update
and things started working.
composer update drupal/core webflo/drupal-core-require-dev --with-dependencies
I had to do the same thing today to go from 8.6.9 to 8.6.10. It's not very clear or easy to figure out why you cannot update a minor version without that command.
Just ran into the same thing with 8.6.15 to 8.6.16. Agree that it would be nice if this were less restrictive
I decided that it's easier to just remove the dependency from my project composer.json and then just add it in if I need to write and run tests.
Can not currently update to 8.7.12 security update.