-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we delete composer.lock files in Crayfish, Crayfish-Commons? #1908
Comments
https://getcomposer.org/doc/01-basic-usage.md#installing-from-composer-lock
... so it depends on how much we trust those repos at which we point to correctly follow semantic versioning? ... that said, including the composer.lock, we could probably make use of something like Dependabot to automatically create PRs when it detects that there are newer versions: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates |
See discussion in notes: https://github.com/Islandora/documentation/wiki/October-6,-2021 |
There are some dependabot PRs on Crayfish that do what @adam-vessey says: https://github.com/Islandora/Crayfish/pulls The discussion @kstapelfeldt pointed to left me thinking:
In the interests of time, we focused on getting that semantic versioning PR in with minimal damage to the existing lock files, but the larger issue still stands - the lock files are getting stale and in some cases could be hazardous. That repo in general needs some love - moving to Symfony, and looking at Dependabot's PRs. Those should probably be addressed, then we can return to this discussion. |
Just to puts some notes here from mucking around. Depending on the system environment that is used when either creating the first lock file or updating it can change the generated lock files contents. So for example if the system has PHP 7.4 installed composer will choose the package that supports PHP 7.4 when generating the lock file in the cases where a dependencies supports multiple versions like That being said lock files are great, I just think they should be used in the tools that have control over the system, so in our case Isle and the Ansible Playbook. That way those builds are reproducible, even if they both use a different version of PHP, etc. |
General consensus from the Tech Call today is that we can remove |
- Removed lock file - Updated test matrix For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments.
- Removed lock file - Updated test matrix For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments.
- Removed lock file - Updated test matrix For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments. Additionally moving to drop tests for 7.3 as it is no longer supported by Drupal 9.4 and up.
- Removed lock file - Updated test matrix - Fixed tests to work on php 7.4, 8.0, 8.1 For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments. Additionally moving to drop tests for 7.3 as it is no longer supported by Drupal 9.4 and up.
- Removed lock file - Updated test matrix - Fixed tests to work on php 7.4, 8.0, 8.1 For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments. Additionally moving to drop tests for 7.3 as it is no longer supported by Drupal 9.4 and up.
* Attempt to get working under PHP 8.1 - Removed lock file - Updated test matrix - Fixed tests to work on php 7.4, 8.0, 8.1 For reasons behind removing the lock file see: https://islandora.slack.com/archives/CM5PPAV28/p1659631615201049 Islandora/documentation#1908 (Removal approved) Instead we'll provide lock files in isle and ansible deployments. Additionally moving to drop tests for 7.3 as it is no longer supported by Drupal 9.4 and up. * Removed debug code
In Crayfish and Crayfish Commons, we have composer.json and composer.lock files.
If we want to use these with Composer as per how Semantic Versioning should work, shouldn't we delete the .lock files?
The text was updated successfully, but these errors were encountered: