PHP lookup constraints #18715
Comments
rarkins
added
type:feature
|
Hi there, Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible. Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on creating a minimal reproduction. We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
This seems like a NodeJS ecosystem detail, but in general, SemVer allows changing dependency ranges as long as the exposed API (declared or inherited from dependencies) doesn't change in breaking ways. You could say that "the NodeJS ecosystem does it this way", but nothing prevents bumping the dependency to
We have 2 problems to solve:
The "would it work?" section above is overly simplistic, and seems to consider the The SAT mechanism inside I wouldn't recommend rewriting that outside
Perhaps we can come up with some upgrade scenarios with current |
Now although I see your opinion is firmly about using |
|
Sorry, I stashed the discussion on the side for a while :-) Answering questions from bullet points above
This makes sense inside @renovatebot: you build a product, and you support the current use-cases, and I absolutely understand that. As library maintainers, we try to pioneer the way things should be done: some approaches will stick, others won't. I have a good track record of both successes and failures there, but please imagine this discussion as an attempt to improve the situation (or failing at doing so), rather than following the herd :)
Disagree:
Understandable limitation, and using full SAT would probably make renovate way too expensive to run anyway.
To clarify the scope of the initial discussion, the problem was the opposite: libraries had stricter dependency ranges, and "bumping" to then caused incompatibilities.
This works for applications, which are leafs in a dependency graph, but for libraries, where downstream BC is important, incompatible upgrades become very noisy, compared to the healthy signal of "this is what you can upgrade to".
This is certainly an option: having such upgrades reported in the "dependency dashboard" would be super-neat, for example. I think lock file upgrades are still managed via SAT and ecosystem-specific dependency ranges though: won't that strain your infrastructure?
Un-doing diffs is complex: probably not a viable approach.
For the one day where we introduced A more practical example of the OP issueAs an example, take these 3 dependencies. {
"name": "my/project",
"require": {
"dependency/a": "^1",
"dependency/b": "^1"
}
}{
"name": "dependency/a"
"version": "1"
"require": {
"dependency/b": "^1"
}
}{
"name": "dependency/b"
"version": "1"
}With following change in the ecosystem: {
"name": "dependency/a"
- "version": "1"
- "version": "2"
- "require": {
- "dependency/b": "^1"
- }
+ "conflict": {
+ "dependency/b": "*"
+ }
}{
"name": "dependency/b"
- "version": "1"
+ "version": "1.1"
}The issue that we had with renovate so far (which sparked the entire discussion) is that renovate will propose this impossible upgrade with the {
"name": "my/project",
"require": {
- "dependency/a": "^1",
+ "dependency/a": "^2",
- "dependency/b": "^1"
+ "dependency/b": "^1.1"
}
}Doing this consciously with the {
"name": "my/project",
"require": {
"dependency/a": "^1",
- "dependency/b": "^1"
+ "dependency/b": "^1.1"
}
}With this approach, we could apply specific labels to |
|
Meanwhile, experienced the same problematic behavior in an old project (closed source) that is slowly being upgraded with a self-hosted renovatebot. Specifically, the project is stuck on What we'd really need is for it to attempt feasible upgrades only, so |
you can use separate multiple major config option as workaround, so you get a PR for each major version. use dashboard approval to update one by one. and don't overload your CI. |
|
@viceice as in create specialized configs for individual dependencies? There are hundreds :D |
|
no, for start i would set approval for all packages |
|
After official PHP 8.2 release we now get this for most of our PRs created by Renovate. We usually have the php constraint in our projects e.g. |
|
@back-2-95 that's a slightly different issue in that
|
|
@rarkins As promised on Twitter, here is a reproduce repository: https://github.com/WyriHaximus/renovate-ignore-php-version |
|
@WyriHaximus thanks! I would like to make sure I understand the reproduction. I see one PR, updating thecodingmachine/safe to v2. According to Packagist, v2 of this package requires Looking at the reproduction project itself, it requires Do I understand correctly? |
|
@rarkins I also had a quick thought about this yesterday. What do you think of "simply" filtering out packages with an incompatible php version on lookup? That would be #2355 I suppose. It's obviously not a generic fix for this issue here, but I think it might bring us one step forward and get rid of the most common annoyance? Especially since now platform upgrades are possible as well. |
|
Yes, that's what I'm working on right now. But I encountered a hitch. If you look at https://packagist.org/p2/thecodingmachine/safe.json for example, only the first (latest) version includes a |
|
Meanwhile the deprecated v1 API for Packagist does include |
|
So for now this issue is blocked until something like the following happens:
I see that there are 8 occurrences of the |
|
a php require is totally optional AFAIK, so in case it's not there you can assume the lib states that it works with any php version. also most likely we need something like the reverse logic if there is a php conflicts or so |
|
I have a working draft for this in #19851 First, I'd really like some more advanced reproductions. For the one by @WyriHaximus, it now suppresses the v2 upgrade, but it would be good if we also have an example where there are multiple possible upgrades, some of which have incompatible updates and some of which are compatible, and it picks the highest compatible. Second, I would like to put this behind a config option (i.e. opt in) so that we can push this to production faster without needing to think/test about all the possible ways this could go wrong. For example, what if the current version is already incompatible? |
|
@rarkins thanks, responding in line 👍
Yes, but widening to
Sweet, will have a look!
Sure, I can give you a repo for that situation as well.
Works for me. Currently looking at having to do several 100 PR's by hand because of (at least) two situations so if I can help test this and get it done sanely with Renovate I'm in! |
@rarkins Hope this is what you meant: Set up another repo where the required package jumps from v4.x to v6: https://github.com/WyriHaximus/renovate-php-multiple-updates-possible v4: Expectation |
|
Thanks. FYI rangeStrategy=replace is the default. You can switch it to rangeStrategy=widen for most managers (I think including composer). This is a separate/tangential topic to compatibility and it's better not to complicate this issue with it. |
Please ping me if you require more and/or more complicated situations. II'll try to set up a very wide-ranged complex one with multiple packages tonight and see how it responds to that.
Do you prefer that with the reproduction repositories as well? And yes that is a whole different feature request with the things I would like to do there. And yes composer supports widen but that might not always be the thing I'd prefer. But again different scope :). |
|
@rarkins Regarding the missing info in the v2 API (sorry I misunderstood that in your last comment about it initially): What's the best way forward then? It looks like the minification package hasn't been changed for almost 2 years and the v2 API response is referencing it with a version ( |
|
We can use v2 API and support de-minification |
|
(already done, actually) |
|
nice! :) |
I have a different expectation here, so we should clarify. If you update On the other hand, your So my expectation is: while your library needs to support v7, you cannot have a dependency which supports only v8, and such updates should be suppressed until you drop support for v7 too. On the other hand, if Renovate widens to support v5 and v6 as you suggest.. can't that be done today if you set rangeStrategy=widen? Is it your expectation to support newer versions as long as there's at least one php version overlapping? |
|
Using latest/production Renovate only, and the reproduction repo with adjusted config:
In other words, it appears like this desired use case is already satisfied through config only (mainly, rangeStrategy=widen). These PRs were generated using standard PR and not my WIP feature to support filtering out updates which are incompatible. |
|
@rarkins Thanks for the update, just finished writing down my thoughts on the
Correct, however when someone uses a package with that defined in there that value is ignored.
Yes. And I think I came up with a way to achieve that #19866 that doesn't require massive and complex changes. |
|
🎉 This issue has been resolved in version 35.7.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
Ooooh, thanks @Lctrs! I suppose this doesn't yet use SAT, but some sort of advanced guesswork, right? |
|
It's based on the language ranges of the direct dependencies. It doesn't identify/correct if dependencies wrongly declare their language support (e.g. they say they support v1 and v2 of a language, but they themselves use a dependency which supports only v2). Also note it's opt-in, and that this version is not yet live in the github app |
|
Good to know: doesn't match my needs exactly, but I fully understand all limitations previously discussed 👍 Thanks for working on this, it already helps tons! |
What would you like Renovate to be able to do?
Support php constraints in composer dependency lookups. i.e. do not propose an update if it is incompatible with the current
phpconstraint.For example, with these constraints: https://github.com/laminas/laminas-diagnostics/blob/df6b5e8d0874f7317b834901c1f6a137ce42ffee/composer.json#L20-L24
Do not propose this change: https://github.com/laminas/laminas-diagnostics/pull/54/files
Because (copy pasted from
composeroutput):Ref: https://packagist.org/packages/laminas/laminas-loader
Ref: https://github.com/laminas/laminas-loader/blob/51ed9c3fa42d1098a9997571730c0cbf42d078d3/composer.json#L24-L26
Note: this seems different to how libraries in Node.js do it, because in Node if you removed support for a major version of the language (e.g. PHP 7) then you should issue a breaking change of your library. The use of e.g.
7.4.99is also a bit of a composer quirk too.If you have any ideas on how this should be implemented, please tell us here.
Related discussion with @Ocramius and @internalsystemerror here: laminas/.github#41
So here we have the case where the downstream repo supports
7.4.99while the new version of the lib requires~8.0.0 || ~8.1.0 || ~8.2.0.Obviously to the human eye these are incompatible, but we need a foolproof way for the bot to determine it, because the "Venn diagrams" will not always be so clear. For example if the downstream repo supported
7.4.99 || 8.0.99then would this be OK or not OK? (in my opinion: not ok).Would this work?
["7.4.99", "8.0.99"]BTW this could unfortunately let us end up in "stalemates" quite easily where no dependency upgrades are proposed due to the downstream repo having too old or too narrow php requirements, something we should be aware of.
Ideally needs a simplified reproduction because the referenced repo seems quite complicated and therefore difficult to debug.
Is this a feature you are interested in implementing yourself?
Maybe
The text was updated successfully, but these errors were encountered: