FEATURE: Detect indirect usage of direct requirements

[icanhazstring]

Originally posted by @MGatner in #234

This happens if the root package will require a package that is not directly used by the root, but by another direct dependency. Those packages will currently be marked as unused while they are technically in use in an indirect way.

We need to actually also scan second level usage to mark indirect dependencies used.
Currently we only scan for provided symbols from a dependency, but we need to also scan for used symbols (like in the root package)

[ComiR]

I would argue that even the current implementation is not what I'd expect. Packages that are only referenced (or required) in dependencies of mine should be marked as unused, since I don't actually use them.

I know there are different opinions on how to handle such indirect dependencies. Some would like to declare them, but I'd like to keep my declared dependencies to those I actually use (otherwise you could declare the whole dependency tree as a direct dependency). So I'd be in favour of making indirect dependency checking optional.

However, the problem with dependencies like monolog/monolog, which might only be needed to fulfil psr/log, would remain if you'd only configure it by declaring it as a Symfony service.

[icanhazstring]

Packages that are only referenced (or required) in dependencies of mine should be marked as unused, since I don't actually use them.

If no symbol of your required packages are used, they are marked as unused.

otherwise you could declare the whole dependency tree as a direct dependency

On the contrary: This only works for your required packages. If any symbol of that is directly used by another of your direct dependencies. Then both should be marked as used.

But I think yes, to have an option to skip indirect usage would be some option to provide.

[VincentLanglet]

We need to actually also scan second level usage to mark indirect dependencies used. Currently we only scan for provided symbols from a dependency, but we need to also scan for used symbols (like in the root package)

Hi @icanhazstring, I'm not sure will would be 100% benefit.

Let's I use a library A.
It provide a FooEvent and a FooEventListener (and many others things).

If I want to use the FooEvent/FooEventListener, I need to install the library B.
As an example this kind of sub-dependency is needed for https://symfony.com/doc/current/scheduler.html#cron-expression-triggers

I can be in the situation where:

• I only use FooEvent in my code
• The lib B is not "used" in my project
• The lib B is not "used" in the FooEvent class
• But the lib B is used by the FooEventListener, which is triggered by the FooEvent indirectly.

With this situation

• Scanning classed I used won't detect the lib B since I only use FooEvent which don't use lib B "directly".
• Scanning all the classes of all required libraries are not a good solution because if I don't use the FooEvent, I don't need to require the library B.

In the same way that I can do

$config
        ->setAdditionalFilesFor('weglot/core', [
            __FILE__,
            __DIR__.'/config/bundles.php',
        ]);

I would have expect a way to write something like

$config
        ->setConditionalDependencies(FooEvent::class, 'libraryB');

to tell composer-unused that

• If I use FooEvent::class, I need 'libraryB'
• As soon as I don't use FooEvent::class anymore, I can remove libraryB