Composer merge plugin dependencies are not correctly updated

[paul121]

Describe the bug

Following the Updating dependencies with composer documentation produces the following bug where the composer.project.json dependencies included by the composer merge plugin are not correctly updated.

This is not currently a large issue because there are only two non-dev dependencies in composer.project.json.

farmOS/composer.project.json

Lines 1 to 5 in 93e13d6

	{
	"require": {
	"cweagans/composer-patches": "^1.7",
	"drupal/core-composer-scaffold": "9.5.3"
	},

This only becomes an issue when a new release of farmOS comes with changes to either of these additional project dependencies. Unfortunately because we pin drupal/core-composer-scaffold we typically change this dependency with each release of farmOS, so in practice this is an issue with every release of farmOS.

To Reproduce
Steps to reproduce the behavior:

1. Pin farmOS dependency to 2.0.0-rc1 in composer.json.
2. Install project for the first time: composer install --no-dev. Observe that drupal/core and drupal/core-composer-scaffold are both installed and locked to 9.4.9
3. Pin farmOS dependency to 2.0.0 in composer.json.
4. Update dependencies: composer update --no-dev. Observe that drupal/core is updated to 9.5.0 but drupal/core-composer-scaffold is not updated.

$ ddev composer update --no-dev
Xdebug: [Step Debug] Could not connect to debugging client. Tried: host.docker.internal:9003 (through xdebug.client_host/xdebug.client_port) :-(
Loading composer repositories with package information                                                                                                                                                                                                             Updating dependencies                                 
Lock file operations: 0 installs, 2 updates, 0 removals
  - Upgrading drupal/core (9.4.9 => 9.5.0)
  - Upgrading farmos/farmos (2.0.0-rc1 => 2.0.0)
Writing lock file

5. Pin farmOS dependency to 2.0.1 in composer.json.
6. Update dependencies: composer update --no-dev. Observe that drupal/core is updated to 9.5.3 but drupal/core-composer-scaffold is only updated to 9.5.0.

$ ddev composer update --no-dev
Xdebug: [Step Debug] Could not connect to debugging client. Tried: host.docker.internal:9003 (through xdebug.client_host/xdebug.client_port) :-(
Loading composer repositories with package information                                                                                                                                                                                                             Updating dependencies                                 
Lock file operations: 0 installs, 3 updates, 0 removals
  - Upgrading drupal/core (9.5.0 => 9.5.3)
  - Upgrading drupal/core-composer-scaffold (9.4.9 => 9.5.0)
  - Upgrading farmos/farmos (2.0.0 => 2.0.1)
Writing lock file

Expected behavior
Composer update instructions updates all dependencies.

I believe the fix is to actually run composer update --no-dev twice to include updates from sub-level composer.json files. As documented in composer merge plugin: https://github.com/wikimedia/composer-merge-plugin#updating-sub-levels-composerjson-files

For example, after step 4 above, running composer update --no-dev again correctly updates drupal/core-composer-scaffold:

$ ddev composer update --no-dev
Xdebug: [Step Debug] Could not connect to debugging client. Tried: host.docker.internal:9003 (through xdebug.client_host/xdebug.client_port) :-(
Loading composer repositories with package information                                                                                                                                                                                                             Updating dependencies                                 
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading drupal/core-composer-scaffold (9.4.9 => 9.5.0)
Writing lock file

[paul121]

We also have duplicate and mismatching cwegans/composer-patches dependencies. Could we remove this from composer.project.json? If it really is needed as a root dependency, would this make sense to include in farmOS/composer-project ?

composer.json:

farmOS/composer.json

Line 19 in 93e13d6

"cweagans/composer-patches": "^1.6",

composer.project.json:

farmOS/composer.project.json

Line 3 in 93e13d6

"cweagans/composer-patches": "^1.7",

[mstenta]

Wow that's annoying. Oh well, I guess we just need to add that to the documentation at https://farmos.org/hosting/composer/#updating-dependencies?

We also have duplicate and mismatching cwegans/composer-patches dependencies. Could we remove this from composer.project.json? If it really is needed as a root dependency, would this make sense to include in farmOS/composer-project ?

This is sort of complicated... maybe just from a conceptual standpoint, if not from an actual code standpoint.

Yes, we could move it to https://github.com/farmOS/composer-project/blob/2.x/composer.json, and it would work. Ultimately the dependency needs to be in the root project composer.json in order for the plugin to run and for patches to be applied, as I understand it.

The reason I put it in composer.project.json largely comes down to the purpose of composer.project.json in the first place: to be able to manage dependencies that are needed in the project composer.json from within the farmOS repository. This allows us to change things in composer.project.json without requiring downstream projects to update their composer.json.

Right now, the project composer.json (https://github.com/farmOS/composer-project/blob/2.x/composer.json) does not apply any patches, so technically it doesn't need cweagans/composer-patches. farmOS needs to apply patches, though, so it uses composer.project.json to merge those requirements into the project composer.json. Hypothetically, if in the future farmOS no longer needs to patch anything, it could remove cweagans/composer-patches from composer.project.json, and all downstream projects would drop it as well. This is probably not going to happen anytime soon, but that's the idea from a "purist" perspective: keep the composer-project's composer.json as simple as possible, because we don't have control over that once it is instantiated by downstream projects.

Perhaps we could remove it from the farmOS composer.json. If I remember correctly, the only reason I put it in there was because that's where the patches are actually defined, so it seemed like it would be best-practice to reference the package that is responsible for that configuration in the same composer.json, even if it wasn't used, and even if it meant duplicating it in both files. The idea being: if you took composer.project.json and farmOS/composer-project out of the picture, and looked at farmOS's composer.json in isolation, if you had patches but no cweagans/composer-patches it wouldn't make sense. But maybe trying to think about it in isolation is meaningless. Any project that included farmos/farmos as a dependency would need to apply the patches it needs using cweagans/composer-patches...

[mstenta]

This just reminded me of an open issue I discovered a little while back: wikimedia/composer-merge-plugin#252

That issue is specifically about composer-merge-plugin running composer update automatically after composer install. Maybe they do that to get around this same issue. It's during install in that case... but in our case it sounds like we essentially need to do the same thing after composer update to work around the way that composer-merge-plugin works.

[mstenta]

Hmm I just tested this myself and didn't notice the issue. Here is what I did:

1. Updated farmos/farmos dependency in composer.json from 2.0.1 to 2.0.3.
2. Ran composer update --no-dev
3. Ran git add . to stage the changes to composer.json and composer.lock.
4. Ran composer update --no-dev again.
5. Ran git status but it doesn't show any additional changes to
6. Inspecting the staged changes, I can see that both drupal/core and drupal/core-composer-scaffold were updated to 9.5.5.

@paul121 did I do something different? Or am I misunderstanding the context when the issue occurs?

[paul121]

That issue is specifically about composer-merge-plugin running composer update automatically after composer install.

Yes! If you inspect the composer output after running composer install you can see this happen. I believe there is a composer core limitation that prevents them from doing this with composer update. Worst case it could turn into an infinite loop as well.

@paul121 did I do something different? Or am I misunderstanding the context when the issue occurs?

That seems like correct steps. Although did you try this from a truly fresh install? In my testing I started by rm -r vendor and composer install --no-dev. I think this could be important. For example, if you started with 2.0.3 installed, then changed to 2.0.1, and then update to 2.0.3, with what I described above drupal/core-composer-scaffold would have started and ended at 9.5.5 and no resulting change. Although you did commit into git in the intermediary... hmm.

What was your composer output?

[mstenta]

Hmm, no I did not start from a fresh install. I had an existing composer.json and composer.lock. I manually updated farmos/farmos in composer.json and then ran composer update --no-dev.

I need to wrap my head around the "fresh install" scenario you're describing... but if this is not an issue with normal updates (running composer update --no-dev on an existing install) then maybe we don't need to update our docs? 🤔

[paul121]

but if this is not an issue with normal updates (running composer update --no-dev on an existing install) then maybe we don't need to update our docs? thinking

I think the issue is just that your test case didn't change the drupal core version enough times. It stared and ended with the same 9.5.5 which may be hard to notice. I would be curious if you did this 2.0.1 to 2.0.2 to 2.0.3 and see what happens, since the drupal core version changed with each release.

[mstenta]

No it started with drupal/core 9.5.3 and changed to 9.5.5. Sorry if I didn't make that clear. Here is the diff after updating from 2.0.1 to 2.0.3 and running composer update --dev once.:

diff --git a/services/farmos/composer.json b/services/farmos/composer.json
index 5fc4e3f21..b46ce2783 100644
--- a/services/farmos/composer.json
+++ b/services/farmos/composer.json
@@ -20,7 +20,7 @@
         }
     ],
     "require": {
-        "farmos/farmos": "2.0.1",
+        "farmos/farmos": "2.0.3",
         "farmier/farmier": "*",
         "oomphinc/composer-installers-extender": "^2",
         "wikimedia/composer-merge-plugin": "^2.0"
diff --git a/services/farmos/composer.lock b/services/farmos/composer.lock
index 0b07a9b46..8c1bd05dd 100644
--- a/services/farmos/composer.lock
+++ b/services/farmos/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "7b66e58aa380444d74c69bac480b99a2",
+    "content-hash": "df8c3e6d84bd4c579cb2426c3e550de0",
     "packages": [
         {
             "name": "agralogics/farm_agralogics",
@@ -1634,16 +1634,16 @@
         },
         {
             "name": "drupal/core",
-            "version": "9.5.3",
+            "version": "9.5.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/drupal/core.git",
-                "reference": "67e34a5e8f48cafdd5c26e778a9570860e2d44a5"
+                "reference": "eae5e76a8b403cbd42b3465f567313b52d78b0dc"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/drupal/core/zipball/67e34a5e8f48cafdd5c26e778a9570860e2d44a5",
-                "reference": "67e34a5e8f48cafdd5c26e778a9570860e2d44a5",
+                "url": "https://api.github.com/repos/drupal/core/zipball/eae5e76a8b403cbd42b3465f567313b52d78b0dc",
+                "reference": "eae5e76a8b403cbd42b3465f567313b52d78b0dc",
                 "shasum": ""
             },
             "require": {
@@ -1795,22 +1795,22 @@
             ],
             "description": "Drupal is an open source content management platform powering millions of websites and applications.",
             "support": {
-                "source": "https://github.com/drupal/core/tree/9.5.3"
+                "source": "https://github.com/drupal/core/tree/9.5.5"
             },
-            "time": "2023-02-01T19:47:31+00:00"
+            "time": "2023-03-15T14:30:25+00:00"
         },
         {
             "name": "drupal/core-composer-scaffold",
-            "version": "9.5.3",
+            "version": "9.5.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/drupal/core-composer-scaffold.git",
-                "reference": "df1f779d3f94500f6cc791427aa729e0ba4b2464"
+                "reference": "c78779acff7b39fc0f29ff1edd710361c15ed87b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/drupal/core-composer-scaffold/zipball/df1f779d3f94500f6cc791427aa729e0ba4b2464",
-                "reference": "df1f779d3f94500f6cc791427aa729e0ba4b2464",
+                "url": "https://api.github.com/repos/drupal/core-composer-scaffold/zipball/c78779acff7b39fc0f29ff1edd710361c15ed87b",
+                "reference": "c78779acff7b39fc0f29ff1edd710361c15ed87b",
                 "shasum": ""
             },
             "require": {
@@ -1845,9 +1845,9 @@
                 "drupal"
             ],
             "support": {
-                "source": "https://github.com/drupal/core-composer-scaffold/tree/9.5.3"
+                "source": "https://github.com/drupal/core-composer-scaffold/tree/9.5.5"
             },
-            "time": "2022-06-19T16:14:18+00:00"
+            "time": "2023-03-09T21:29:23+00:00"
         },
         {
             "name": "drupal/csv_serialization",
@@ -4722,16 +4722,16 @@
         },
         {
             "name": "farmos/farmos",
-            "version": "2.0.1",
+            "version": "2.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/farmOS/farmOS.git",
-                "reference": "93e13d6f8384b6026110754dc2fc7a403f82847e"
+                "reference": "c981875d65a1c74ea50ecdd8e92b855ff69760bf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/farmOS/farmOS/zipball/93e13d6f8384b6026110754dc2fc7a403f82847e",
-                "reference": "93e13d6f8384b6026110754dc2fc7a403f82847e",
+                "url": "https://api.github.com/repos/farmOS/farmOS/zipball/c981875d65a1c74ea50ecdd8e92b855ff69760bf",
+                "reference": "c981875d65a1c74ea50ecdd8e92b855ff69760bf",
                 "shasum": ""
             },
             "require": {
@@ -4739,7 +4739,7 @@
                 "drupal/admin_toolbar": "^3.2",
                 "drupal/config_update": "^1.7",
                 "drupal/consumers": "^1.15",
-                "drupal/core": "9.5.3",
+                "drupal/core": "9.5.5",
                 "drupal/csv_serialization": "^2.0",
                 "drupal/date_popup": "^1.1",
                 "drupal/entity": "1.4",
@@ -4777,7 +4777,8 @@
                         "Issue #2429699: Add Views EntityReference filter to be available for all entity reference fields.": "https://www.drupal.org/files/issues/2021-12-02/2429699-453-9.3.x.patch",
                         "Issue #2339235: Remove taxonomy hard dependency on node module": "https://www.drupal.org/files/issues/2021-12-09/2339235-9.3.x-76.patch",
                         "Issue #1874838: Allow exposed blocks to use 'Link display' settings": "https://www.drupal.org/files/issues/2021-11-11/1874838-26.patch",
-                        "Issue #2909128: Autocomplete not working on Chrome Android": "https://www.drupal.org/files/issues/2022-12-16/drupal-2909128-9.5.x-74.patch"
+                        "Issue #2909128: Autocomplete not working on Chrome Android": "https://www.drupal.org/files/issues/2022-12-16/drupal-2909128-9.5.x-74.patch",
+                        "Issue #3266341: Views pagers do math on disparate data types, resulting in type errors in PHP 8": "https://www.drupal.org/files/issues/2022-09-23/3266341-26.patch"
                     },
                     "drupal/entity": {
                         "Issue #3206703: Provide reverse relationships for bundle plugin entity_reference fields.": "https://www.drupal.org/files/issues/2022-05-11/3206703-10.patch"
@@ -4816,7 +4817,7 @@
                 "docs": "https://farmOS.org/guide",
                 "forum": "https://farmOS.discourse.group",
                 "issues": "https://github.com/farmOS/farmOS/issues",
-                "source": "https://github.com/farmOS/farmOS/tree/2.0.1"
+                "source": "https://github.com/farmOS/farmOS/tree/2.0.3"
             },
             "funding": [
                 {
@@ -4828,7 +4829,7 @@
                     "type": "open_collective"
                 }
             ],
-            "time": "2023-02-08T22:54:06+00:00"
+            "time": "2023-03-15T18:35:20+00:00"
         },
         {
             "name": "farmos/farmos-map",

[paul121]

Weird. I did the same, 2.0.1 -> 2.0.3 and drupal/core-composer-scaffold is not updated.

Can you share the console output of composer update --no-dev like I did above? I'm really curious to see if logs that it is updating this package. Maybe your composer update does get run twice for some reason. Also my composer version is 2.4.4

My composer.lock:

diff --git a/composer.lock b/composer.lock
index 5ea4cf7..adc3225 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "44d28c6209c182cdf9c5c1be31eae902",
+    "content-hash": "7b42fdb373399f9a190cccd0b183a97a",
     "packages": [
         {
             "name": "asm89/stack-cors",
@@ -1535,16 +1535,16 @@
         },
         {
             "name": "drupal/core",
-            "version": "9.5.3",
+            "version": "9.5.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/drupal/core.git",
-                "reference": "67e34a5e8f48cafdd5c26e778a9570860e2d44a5"
+                "reference": "eae5e76a8b403cbd42b3465f567313b52d78b0dc"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/drupal/core/zipball/67e34a5e8f48cafdd5c26e778a9570860e2d44a5",
-                "reference": "67e34a5e8f48cafdd5c26e778a9570860e2d44a5",
+                "url": "https://api.github.com/repos/drupal/core/zipball/eae5e76a8b403cbd42b3465f567313b52d78b0dc",
+                "reference": "eae5e76a8b403cbd42b3465f567313b52d78b0dc",
                 "shasum": ""
             },
             "require": {
@@ -1696,9 +1696,9 @@
             ],
             "description": "Drupal is an open source content management platform powering millions of websites and applications.",
             "support": {
-                "source": "https://github.com/drupal/core/tree/9.5.3"
+                "source": "https://github.com/drupal/core/tree/9.5.5"
             },
-            "time": "2023-02-01T19:47:31+00:00"
+            "time": "2023-03-15T14:30:25+00:00"
         },
         {
             "name": "drupal/core-composer-scaffold",
@@ -3842,16 +3842,16 @@
         },
         {
             "name": "farmos/farmos",
-            "version": "2.0.1",
+            "version": "2.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/farmOS/farmOS.git",
-                "reference": "93e13d6f8384b6026110754dc2fc7a403f82847e"
+                "reference": "c981875d65a1c74ea50ecdd8e92b855ff69760bf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/farmOS/farmOS/zipball/93e13d6f8384b6026110754dc2fc7a403f82847e",
-                "reference": "93e13d6f8384b6026110754dc2fc7a403f82847e",
+                "url": "https://api.github.com/repos/farmOS/farmOS/zipball/c981875d65a1c74ea50ecdd8e92b855ff69760bf",
+                "reference": "c981875d65a1c74ea50ecdd8e92b855ff69760bf",
                 "shasum": ""
             },
             "require": {
@@ -3859,7 +3859,7 @@
                 "drupal/admin_toolbar": "^3.2",
                 "drupal/config_update": "^1.7",
                 "drupal/consumers": "^1.15",
-                "drupal/core": "9.5.3",
+                "drupal/core": "9.5.5",
                 "drupal/csv_serialization": "^2.0",
                 "drupal/date_popup": "^1.1",
                 "drupal/entity": "1.4",
@@ -3897,7 +3897,8 @@
                         "Issue #2429699: Add Views EntityReference filter to be available for all entity reference fields.": "https://www.drupal.org/files/issues/2021-12-02/2429699-453-9.3.x.patch",
                         "Issue #2339235: Remove taxonomy hard dependency on node module": "https://www.drupal.org/files/issues/2021-12-09/2339235-9.3.x-76.patch",
                         "Issue #1874838: Allow exposed blocks to use 'Link display' settings": "https://www.drupal.org/files/issues/2021-11-11/1874838-26.patch",
-                        "Issue #2909128: Autocomplete not working on Chrome Android": "https://www.drupal.org/files/issues/2022-12-16/drupal-2909128-9.5.x-74.patch"
+                        "Issue #2909128: Autocomplete not working on Chrome Android": "https://www.drupal.org/files/issues/2022-12-16/drupal-2909128-9.5.x-74.patch",
+                        "Issue #3266341: Views pagers do math on disparate data types, resulting in type errors in PHP 8": "https://www.drupal.org/files/issues/2022-09-23/3266341-26.patch"
                     },
                     "drupal/entity": {
                         "Issue #3206703: Provide reverse relationships for bundle plugin entity_reference fields.": "https://www.drupal.org/files/issues/2022-05-11/3206703-10.patch"
@@ -3936,7 +3937,7 @@
                 "docs": "https://farmOS.org/guide",
                 "forum": "https://farmOS.discourse.group",
                 "issues": "https://github.com/farmOS/farmOS/issues",
-                "source": "https://github.com/farmOS/farmOS/tree/2.0.1"
+                "source": "https://github.com/farmOS/farmOS/tree/2.0.3"
             },
             "funding": [
                 {
@@ -3948,7 +3949,7 @@
                     "type": "open_collective"
                 }
             ],
-            "time": "2023-02-08T22:54:06+00:00"
+            "time": "2023-03-15T18:35:20+00:00"
         },
         {
             "name": "farmos/farmos-map",

[mstenta]

I just rolled back to my previous commit, manually changed 2.0.1 to 2.0.3 in my composer.json and ran composer update --dev and this is what I see:

Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Lock file operations: 0 installs, 3 updates, 0 removals
  - Upgrading drupal/core (9.5.3 => 9.5.5)
  - Upgrading drupal/core-composer-scaffold (9.5.3 => 9.5.5)
  - Upgrading farmos/farmos (2.0.1 => 2.0.3)
Writing lock file
...

[mstenta]

Oh and my composer version:

Composer version 2.5.4 2023-02-15 13:10:06

I'm running this inside the farmOS Docker image, for what it's worth. So that's the version in the image.

[paul121]

I just rolled back to my previous commit, manually changed 2.0.1 to 2.0.3 in my composer.json and ran composer update --dev and this is what I see:

I just did the same rollback and got the same message, all updated to 9.5.5. But... call me crazy... I still don't trust this as a test though... I believe some sort of state is being maintained outside of composer.lock. Perhaps composer has cached the dependencies from 2.0.3 when previously installed, so when rolling back and doing the install again, this isn't too accurate.

I would be curious if you did this 2.0.1 to 2.0.2 to 2.0.3 and see what happens, since the drupal core version changed with each release.

I just tested this with our docker image in a fresh install, going from 2.0.1 to 2.0.2 and finally 2.0.3. I get the same behavior as I originally reported. It is important to start by removing vendor and composer.lock for an initial install with composer install --no-dev. Updating sequentially with each of these versions from a fresh install should simulate the issue.

[mstenta]

Interesting! Seems like we're getting closer to the root circumstance...

It is important to start by removing vendor and composer.lock for an initial install with composer install --no-dev. Updating sequentially with each of these versions from a fresh install should simulate the issue.

I'll have to try this myself next...

Well, maybe if we figure out exactly what leads to it we can find a targeted fix that doesn't require running composer update twice... or maybe that will be unavoidable... 🤷

[paul121]

I experienced this again with the latest 2.2 release. I needed to run composer update twice before I got the new v2.2.2 dependency of farmOS-map.

[mstenta]

I experienced this with 3.0.0 (Drupal 10.2.1). It required composer update twice to get the correct version of drupal/core-composer-scaffold, as you described in the original issue description @paul121...

Attempting: composer update --no-dev
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading drupal/core-composer-scaffold (10.1.6 => 10.2.1)
Writing lock file
Installing dependencies from lock file
Package operations: 0 installs, 1 update, 0 removals
  - Downloading drupal/core-composer-scaffold (10.2.1)
No patches supplied.
Gathering patches for dependencies. This might take a minute.
  - Upgrading drupal/core-composer-scaffold (10.1.6 => 10.2.1): Extracting archive
Generating autoload files
55 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.

[mstenta]

Note that this also affects patches. I had to run composer update twice in order to get a new patch applied locally.

[mstenta]

I wonder if we could fix this with a Composer script in this repository that is triggered by the post-update-cmd event, to automatically run update again. Feels like a bad idea... but if this is going to be a persistent problem for people who are managing farmOS via Composer maybe we should consider it. I wonder if we could add a message that explains the situation like: "farmOS includes a Composer script that runs composer update twice to ensure all composer-merge-plugin dependencies are updated. To turn this off, ..."

[mstenta]

I opened a PR to add a quick documentation fix as a temporary measure while we figure this out... #786