composer: Declare previous version conflict with dep

Hi,

This seems to me like a problem that should come up a lot, but I’ve not managed to find documentation for it. I have identified that a previous version of my package conflicts with another dependency at a specific version. In my specific case, a previous release doesn’t work with PHP 5.4.0 due to a bug in PHP related to trait composition and abstract methods. How can I now declare that not my current version (upcoming release), but my 0.1-alpha2 conflicts with PHP 5.4.0?

I understand that this may be difficult to do via Composer config. But maybe this could be done on Packagist?

Note

According to SemVer 2.0 point 3,

Once a versioned package has been released, the contents of that version MUST NOT be modified. Any modifications MUST be released as a new version.

This means that re-tagging, i.e. making a modification and moving the tag to that commit, is a breach of SemVer.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 3
  • Comments: 34 (21 by maintainers)

Most upvoted comments

If you published a bad version, just publish a fix version (n+1, avoid reusing the same tag) and move on. In the example above of the LiipFunctionalTestBundle it’s a bit problematic because the old version might get picked if you use Symfony 4 at least until you release a version supporting Symfony 4. In that case maybe deleting the tag from the git repo and deleting the tag on packagist is the best course of action. People that have it in their composer.lock will still be able to install as the commit is still there and the lock file has the commit reference, but you stop the bad version from spreading further at least.

I don’t really see what we can do on our end to mitigate this in a meaningful way that wouldn’t take more effort than it’s worth. Such mistakes don’t happen all that often.

+2
Seldaek on Apr 12, 2018

Retagging is not ideal. But probably the recommend approach. You might have to manually trigger an update in Packagist though I think. Not sure, I can’t recall the last time I re-tagged something.

+1
alcohol on Mar 16, 2018

Yes, re-tag. No, your package behavior does not change. Only its metadata (composer.json) do. And only for a very specific release. I don’t see it as a problem.

+1
AnrDaemon on Mar 16, 2018
Read more comments on GitHub
← composer: curl error 23 when updating custom repository
composer: dev-master does not use branch-alias when compared against conflict rules (bug?) →