flex: Composer update don't limit version to expected one

See https://github.com/symfony/symfony/issues/29581

Symfony version(s) affected: 4.0, 4.1 and 4.2

Description I want to create a project with 4.1.* Symfony version, and don’t use any 4.2 package. Same bug when i want to create a project with 4.0.* Symfony version. This problem will be the same for 4.2, when 4.3 will be released.

How to reproduce

composer create-project symfony/skeleton sf-4-1-9 4.1.9.1

(I have removed some dependencies to make output more readable)

Installing symfony/skeleton (v4.1.9.1)
  - Installing symfony/skeleton (v4.1.9.1): Downloading (100%)         
Created project in sf-4-1-9
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 20 installs, 0 updates, 0 removals
  - Installing symfony/flex (v1.1.8): Loading from cache

Prefetching 11 packages 🎶 💨
  - Downloading (100%)

  - Installing symfony/console (v4.1.9): Loading from cache
  - Installing symfony/dotenv (v4.1.9): Loading from cache
  - Installing symfony/routing (v4.1.9): Loading from cache
  - Installing symfony/http-foundation (v4.1.9): Loading from cache
  - Installing symfony/event-dispatcher (v4.1.9): Loading from cache
  - Installing symfony/debug (v4.1.9): Loading from cache
  - Installing symfony/http-kernel (v4.1.9): Loading from cache
  - Installing symfony/finder (v4.1.9): Loading from cache
  - Installing symfony/filesystem (v4.1.9): Loading from cache
  - Installing symfony/dependency-injection (v4.1.9): Loading from cache
  - Installing symfony/config (v4.1.9): Loading from cache
  - Installing symfony/cache (v4.1.9): Loading from cache
  - Installing symfony/framework-bundle (v4.1.9): Loading from cache
  - Installing symfony/yaml (v4.1.9): Loading from cache

4.1.9 is installed, with it’s dependencies as 4.1.9 too. But if i do this :

rm -rf vendor && composer up

Dependencies i don’t have in my composer.json will be installed as latest version (4.2.1 today):

Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 22 installs, 0 updates, 0 removals
  - Installing symfony/flex (v1.1.8): Loading from cache
  - Installing symfony/polyfill-mbstring (v1.10.0): Loading from cache
  - Installing symfony/console (v4.1.9): Loading from cache
  - Installing symfony/dotenv (v4.1.9): Loading from cache
  - Installing symfony/routing (v4.2.1): Loading from cache
  - Installing symfony/http-foundation (v4.2.1): Loading from cache
  - Installing symfony/contracts (v1.0.2): Loading from cache
  - Installing symfony/event-dispatcher (v4.2.1): Loading from cache
  - Installing symfony/debug (v4.2.1): Loading from cache
  - Installing symfony/http-kernel (v4.2.1): Loading from cache
  - Installing symfony/finder (v4.2.1): Loading from cache
  - Installing symfony/filesystem (v4.2.1): Loading from cache
  - Installing symfony/dependency-injection (v4.2.1): Loading from cache
  - Installing symfony/config (v4.2.1): Loading from cache
  - Installing symfony/var-exporter (v4.2.1): Loading from cache
  - Installing symfony/cache (v4.2.1): Loading from cache
  - Installing symfony/framework-bundle (v4.1.9): Loading from cache
  - Installing symfony/yaml (v4.1.9): Loading from cache

I’ve tried to use extra.symfony.require, but it didn’t change anything.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 16 (9 by maintainers)

Commits related to this issue

feature #520 Merge new "flex-require" section with "require" on create-project & update (nicolas-grekas) This PR was merged into the 1.2-dev branch. Discussion ---------- Merge new "flex-require" s... — committed to symfony/flex by fabpot 5 years ago

Most upvoted comments

After installing Flex as global composer plugin, i’ve found this problem:

Without extra.symfony.require config:

composer up
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 2 installs, 16 updates, 0 removals
  - Installing symfony/contracts (v1.0.2): Loading from cache
  - Updating symfony/dependency-injection (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/doctrine-bridge (v4.1.9 => v4.2.1): Loading from cache
  - Installing symfony/var-exporter (v4.2.1): Loading from cache
  - Updating symfony/cache (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/filesystem (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/config (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/finder (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/routing (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/options-resolver (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/intl (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/inflector (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/property-access (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/http-foundation (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/event-dispatcher (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/security (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/monolog-bridge (v4.1.9 => v4.2.1): Loading from cache
  - Updating symfony/stopwatch (v4.1.9 => v4.2.1): Loading from cache
Writing lock file
Generating autoload files
> steevanb\ComposerOverloadClass\OverloadClass::overload
ocramius/package-versions:  Generating version class...
ocramius/package-versions: ...done generating version class
Symfony recipes are disabled: "symfony/flex" not found in the root composer.json

What about running composer global require symfony/thanks && composer thanks now?
This will spread some 💖  by sending a ★  to the GitHub repositories of your fellow package maintainers.

Executing script cache:clear [OK]
Executing script assets:install --symlink --relative public [OK]

Add extra.symfony.require: 4.1, to downgrade 4.2 installed packages to 4.1

composer up
Loading composer repositories with package information
Updating dependencies (including require-dev)
Restricting packages listed in "symfony/symfony" to "4.1.*"
Nothing to install or update
Writing lock file
Generating autoload files
> steevanb\ComposerOverloadClass\OverloadClass::overload
ocramius/package-versions:  Generating version class...
ocramius/package-versions: ...done generating version class
Symfony recipes are disabled: "symfony/flex" not found in the root composer.json
Executing script cache:clear [OK]
Executing script assets:install --symlink --relative public [OK]

It’s not working, 4.2 installed packages are not downgraded to 4.1.

I have to remove vendor dir, just add extra.symfony.require when vendor are already installed as 4.2 (instead of 4.1) is not enough to downgrade 4.2 packages to 4.1. After removing vendor dir, symfony dependencies are installed in 4.1, it’s ok.

Another problem: with Flex as global plugin only, recipes are disabled, as you can see above:

Symfony recipes are disabled: "symfony/flex" not found in the root composer.json

### Finally, to make it works:

composer global require symfony/flex ^1.0, to restrict packages who are not listed in your composer.json to the version you want
add symfony/flex: ^1.0 in your composer.json, to make recipes work
add extra.symfony.require: 4.1.* in your composer.json, not added by default on a lot of symfony/skeleton versions
don’t do composer up alone, do rm -rf vendor && composer up, or you will not downgrade installed packages to 4.1

steevanb on Dec 19, 2018