running "composer require" from composer-script mangles the ^ version constraint

[staabm]

My composer.json:

{
	"scripts": {
		"bug": [
			"@composer require doctrine/dbal:^3 --ignore-platform-req=php+"
		]
	}
}

Output of composer diagnose:

$ composer diagnose
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.doctrine/dbal : exact version constraints (3) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK git version 2.45.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK does not expire
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.7.6
PHP version: 8.2.12
PHP binary path: C:\tools\php82\php.exe
OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
curl version: 8.4.0 libz 1.2.12 ssl OpenSSL/3.0.11
zip: extension present, unzip present, 7-Zip present (7z)

When I run this command:

composer bug

I get the following output:

composer.json changes to

{
	"scripts": {
		"bug": [
			"@composer require doctrine/dbal:^3 --ignore-platform-req=php+"
		]
	},
	"require": {
		"doctrine/dbal": "3"
	}
}

And I expected this to happen:

composer.json changes to

{
	"scripts": {
		"bug": [
			"@composer require doctrine/dbal:^3 --ignore-platform-req=php+"
		]
	},
	"require": {
		"doctrine/dbal": "^3"
	}
}

see the missing ^ in the require constraint

---

when running

composer require doctrine/dbal:^3 --ignore-platform-req=php+

strait from the commandline everything works as expected

[fredden]

For me (on Debian Linux with zsh as my shell, Composer v2.7.6), this works as expected. It looks like you're on Windows (confirmed by the path to PHP in the composer diagnose output), so this is most probably an escaping issue. I wonder if Composer should escape all shell-special characters before invoking a command. I don't know off the top of my head if there are different escaping requirements between PowerShell and cmd.exe.
What shell are you using?

[staabm]

I was running this command in git bash for windows.

I will try cmd and powershell when back at the PC

[Seldaek]

Yeah in some windows contexts/shells ^ must be escaped as ^^. I am not sure if we really can fix this without causing more problems..

Probably rather use doctrine/dbal:3.* or some alternative way to write this constraint.. I know it's not a great answer but I don't see a better way without parsing commands fully etc, which is a pandora's box I would rather not open.

[staabm]

Maybe DX wise we could do it the other way arround: emit a warning when platform specific or known problematic characters are contained in a command line?