composer: composer update --lock also SEEMS to update dev packages, but doesn't really

My composer.json: full of secrets, sorry, but the important part:

{
    "require": {
        "php": ">=7.4",
        "cweagans/composer-patches": "^1.6",
        "kris/laravel-form-builder": "dev-master"
    },
    "extra": {
        "patches": {
            // nothing for kris/laravel-form-builder
        }
    }
}

I include cweagans/composer-patches because it might be relevant as a composer plugin, even though there are no patches for kris/laravel-form-builder.

Output of composer diagnose:

Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0.12
PHP version: 7.4.15
PHP binary path: /usr/bin/php7.4
OpenSSL version: OpenSSL 1.1.1j  16 Feb 2021
cURL version: 7.58.0 libz 1.2.11 ssl OpenSSL/1.1.1j
zip: extension present, unzip present

Full output of update --lock:

rudie@homeblox:myproject(dev)$ composer -vvv update --lock
Reading ./composer.json (/var/www/myproject/composer.json)
Loading config file /home/rudie/.config/composer/auth.json
Loading config file ./composer.json (/var/www/myproject/composer.json)
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/var/www/myproject): git branch -a --no-color --no-abbrev -v
Reading /home/rudie/.config/composer/composer.json
Loading config file /home/rudie/.config/composer/auth.json
Loading config file /home/rudie/.config/composer/composer.json (/home/rudie/.config/composer/composer.json)
Loading config file /home/rudie/.config/composer/auth.json
Reading /home/rudie/.config/composer/auth.json
Reading /var/www/myproject/vendor/composer/installed.json
Reading /home/rudie/.config/composer/vendor/composer/installed.json
Loading plugin cweagans\Composer\Patches (from cweagans/composer-patches)
Running 2.0.12 (2021-04-01 10:14:59) with PHP 7.4.15 on Linux / 4.15.0-140-generic
> pre-update-cmd: cweagans\Composer\Patches->checkPatches
Gathering patches for root package.
Reading ./composer.lock (/var/www/myproject/composer.lock)
Loading composer repositories with package information
Downloading https://repo.packagist.org/packages.json
[200] https://repo.packagist.org/packages.json
Writing /home/rudie/.cache/composer/repo/https---repo.packagist.org/packages.json into cache
Reading /home/rudie/.cache/composer/repo/https---repo.packagist.org/provider-brick~math.json from cache
Downloading https://repo.packagist.org/p2/brick/math.json if modified
....
[304] https://repo.packagist.org/p2/brick/math.json
....
Downloading https://repo.packagist.org/p2/guzzlehttp/psr7.json if modified
....
Reading /home/rudie/.cache/composer/repo/https---repo.packagist.org/provider-illuminate~mail.json from cache
Downloading https://repo.packagist.org/p2/illuminate/mail.json if modified
....
[304] https://repo.packagist.org/p2/illuminate/bus.json
Updating dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.038 seconds
Analyzed 4689 packages to resolve dependencies
Analyzed 31374 rules to resolve dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.001 seconds
Lock file operations: 0 installs, 1 update, 0 removals
Updates: kris/laravel-form-builder:dev-master cd17545
  - Upgrading kris/laravel-form-builder (dev-master 538ed8d => dev-master cd17545)
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Package fzaninotto/faker is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
> post-autoload-dump: Illuminate\Foundation\ComposerScripts::postAutoloadDump
54 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

The weird bit in there is:

Lock file operations: 0 installs, 1 update, 0 removals
Updates: kris/laravel-form-builder:dev-master cd17545
  - Upgrading kris/laravel-form-builder (dev-master 538ed8d => dev-master cd17545)
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove

So it pretends to upgrade kris/laravel-form-builder to the newest dev, even though --lock shouldn’t do that, but also it actually doesn’t. If I run the same command again, it pretends to upgrade again, and again, etc, and it never does upgrade. Very very confusing.

Happened in Composer 2.0.11, so I upgraded to 2.0.12, and it still happens.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (9 by maintainers)

Commits related to this issue

Most upvoted comments

@hostep that’s why I said which are safe to update. When using a github download URL, Composer is able to replace the reference in it to ensure the right commit is still downloaded, even when updating the URL to use the new repo name. But for generic packages, that’s indeed not safe to do when the reference is hardcoded in the URL in a way unknown to composer (which is what #9661 could solve in the future)

+1
stof on Apr 8, 2021

@hostep right, good point, I’ll look into restricting updates of further fields.

+1
Seldaek on Apr 8, 2021

why would it bump the date if it does not bump the reference ?

+1
stof on Apr 7, 2021
Read more comments on GitHub
← composer: Composer stopped working behind corporate proxy
composer: Composer Update silently returns "Killed" →