Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade third-party composer dependencies #306

Closed
3 tasks done
emteknetnz opened this issue Sep 2, 2024 · 9 comments
Closed
3 tasks done

Upgrade third-party composer dependencies #306

emteknetnz opened this issue Sep 2, 2024 · 9 comments

Comments

@emteknetnz
Copy link
Member

emteknetnz commented Sep 2, 2024

The CMS 6 beta will be released around mid Jan 2025. Upgrading the composer dependencies should be done fairly close to this cut-off to allow as much time for third party new major versions to be released, though still allow some time to ensure we have adequate time to upgrade everything.

Acceptance criteria

  • Dependencies that need to be updated for CMS 6 are identified (excluding symfony and phpunit)
  • Dependencies are updated
  • Fixed dependencies page is updated

Notes

  • Symfony 7 has already been done in this card
  • PHPunit 11 has already been done in this card

This bash script can be used to identify dependencies that need to be updated on the base folder of an install of kitchen-sink:

The following script was used to update deps - https://github.com/emteknetnz/cms6-update-deps

Update minor deps

Kitchen sink CI

^ Unit test failure is existing

PRs

After merging assign back to Steve

Update major deps

Did not update any phpunit deps as they were all for repos that are used for both CMS 5 and CMS 6 e.g. silverstripe/supported-modules

Kitchen sink CI

^ Unit test failure is existing

PRs

@emteknetnz emteknetnz changed the title Upgrade third-party composer dependencies Nov 2024 - Upgrade third-party composer dependencies Sep 3, 2024
@GuySartorelli GuySartorelli added this to the Silverstripe CMS 6.0 milestone Sep 13, 2024
@GuySartorelli GuySartorelli self-assigned this Nov 15, 2024
@GuySartorelli
Copy link
Member

Got a printout of all the dependencies per repo, then realised this isn't actually worth my time until we've got the list of supported modules.

Used this script, modified from above:

$deps = [];
$vendors = ["silverstripe","symbiote","tractorcow","colymba","dnadesign","bringyourownideas"];
foreach ($vendors as $vendor) {
    $files = shell_exec("find vendor/$vendor/. | grep composer.json");
    $files = explode("\n", $files);
    foreach ($files as $file) {
        if (!$file) continue;
        if (preg_match("#/tests/#", $file)) continue;
        preg_match("#vendor/(?<repo>.*)/composer\.json$#", $file, $matches);
        $repo = $matches["repo"];
        $json = json_decode(file_get_contents($file), true);
        foreach (["require", "require-dev"] as $attr) {
            if (!isset($json[$attr])) continue;
            foreach ($json[$attr] as $dep => $constraint) {
                if ($dep === "php") continue;
                if (str_starts_with($dep, "silverstripe/")) continue;
                if (str_starts_with($dep, "phpunit/")) continue;
                if (str_starts_with($dep, "bringyourownideas/")) continue;
                if (str_starts_with($dep, "colymba/")) continue;
                if (str_starts_with($dep, "dnadesign/")) continue;
                if (str_starts_with($dep, "symbiote/")) continue;
                if (str_starts_with($dep, "symfony/")) continue;
                if (str_starts_with($dep, "ext-")) continue;
                $repoDeps[$repo][] = "$dep:$constraint";
            }
        }
    }
}
ksort($repoDeps);
foreach ($repoDeps as $repo => $deps) {
  ksort($deps);
  echo "\n---------------\n";
  echo "REPO: $repo\n---------------\n";
  foreach ($deps as $dep) {
    echo "$dep\n";
  }
}

@GuySartorelli GuySartorelli removed their assignment Nov 18, 2024
@emteknetnz emteknetnz self-assigned this Dec 5, 2024
@emteknetnz
Copy link
Member Author

emteknetnz commented Dec 5, 2024

Made minor to script and ran, and manually got the latest version from each repo

(script was originally in issue description, have copied to here)

php -r '
    $deps = [];
    $vendors = ["silverstripe","symbiote","tractorcow","colymba","dnadesign"];
    foreach ($vendors as $vendor) {
        $files = shell_exec("find vendor/$vendor/. | grep composer.json");
        $files = explode("\n", $files);
        foreach ($files as $file) {
            if (!$file) continue;
            if (preg_match("#/tests/#", $file)) continue;
            if (str_contains($file, "webauthn-authenticator")) continue;
            $c = file_get_contents($file);
            $j = json_decode($c, true);
            foreach (["require", "require-dev"] as $r) {
                if (!isset($j[$r])) continue;
                foreach ($j[$r] as $k => $v) {
                    if (str_starts_with($k, "silverstripe/")) continue;
                    if (str_starts_with($k, "bringyourownideas/")) continue;
                    if (str_starts_with($k, "colymba/")) continue;
                    if (str_starts_with($k, "dnadesign/")) continue;
                    if (str_starts_with($k, "symbiote/")) continue;
                    if (str_starts_with($k, "symfony/")) continue;
                    if (str_starts_with($k, "ext-")) continue;
                    $deps["$k:$v"] = true;
                }
            }
        }
    }
    ksort($deps);
    foreach ($deps as $dep => $b) {
      echo "$dep\n";
    }
'

Only 3 things are not on the latest major:

  • paragonie/constant_time_encoding - ^2.6 - latest is 3.0.0
  • psr/http-message - ^1 - latest is 2.0 (not a typo)
  • phpunit - somethings are not on ^11
asyncphp/doorman:^4
- 4.0.0
aws/aws-sdk-php:^3.281
- 3.334.1
behat/behat:^3.11.0
- 3.16.0
behat/mink:^1.10.0
- 1.12.0
composer-plugin-api:^2
- do not change
composer-runtime-api:^2.0
- do not change
composer/composer:^2
- 2.8.3
ccomposer/installers:*
- 2.3.0
composer/installers:^2
- 2.3.0
composer/installers:^2.2
- 2.3.0
composer/semver:^3.4
- 3.4.3
defuse/php-encryption:^2.3
- 2.4.0
dragonmantank/cron-expression:^3
- 3.4.0
embed/embed:^4.4.7
- 4.4.14
friends-of-behat/mink-extension:^2
- 2.7.5
fzaninotto/faker:^1.9.2
- 1.9.2
guzzlehttp/guzzle:^7.5
- 7.9.2
guzzlehttp/guzzle:^7.5.0
- 7.9.2
guzzlehttp/psr7:^2.4.0
- 2.7.0
guzzlehttp/psr7:^2.4.1
- 2.7.0
intervention/image:^3.7
- 3.9.1
jeremeamia/superclosure:^2.0
- 2.4.0
league/commonmark:^2.4
- 2.5.3
league/csv:^9
- 9.18.0
league/csv:^9.8.0
- 9.18.0
league/flysystem-local:^3.22
- 3.29.0
league/flysystem:^3.22
- 3.29.1
m1/env:^2.2.0
- 2.2.0
marcj/topsort:^2.0.0
- 2.0.0
masterminds/html5:^2.7.6
- 2.9.0
mikey179/vfsstream:^1.6
- 1.6.12
mikey179/vfsstream:^1.6.11
- 1.6.12
mikey179/vfsstream:^v1.6.11
- 1.6.12
monolog/monolog:^3.2.0
- 3.8.0
nikic/php-parser:^5.1.0
- 5.3.1
onelogin/php-saml:^4
- 4.2.0
paragonie/constant_time_encoding:^2.6
- ! 3.0.0
php-parallel-lint/php-parallel-lint:^1
- 1.4.0
php-webdriver/webdriver:^1.13.1
- 1.15.2
php:^8.0
- ^8.3
php:^8.1
- ^8.3
php:^8.3
- ^8.3
phpstan/extension-installer:^1.3
- 1.4.3
phpunit/phpunit:^11.3
- 11.4.4
phpunit/phpunit:^4.0 || ^5.0 || ^6.0 || ^7.0 || ^8.0 || ^9.0
- 11.4.4
phpunit/phpunit:^9.6
- 11.4.4
psr/container:^1.1 || ^2.0
- 2.0.2
psr/event-dispatcher:^1
- 1.0.0
psr/http-message:^1
- ! 2.0
psr/simple-cache:^3.0.0
- 3.0.0
sebastian/diff:^6.0
- 6.0.2
sensiolabs/ansi-to-html:^1.2
- 1.2.1
silverstripe-themes/simple:3.x-dev
- 3.3.2
slevomat/coding-standard:^8.14
- 8.15.0
sminnee/callbacklist:^0.1.1
- 0.1.1
spomky-labs/otphp:^11.1
- 11.3.0
squizlabs/php_codesniffer:^3
- 3.7.2
squizlabs/php_codesniffer:^3.7
- 3.7.2
ua-parser/uap-php:^3.9.14
- 3.9.14
webonyx/graphql-php:^15.0.1
- 15.19.0

@emteknetnz
Copy link
Member Author

emteknetnz commented Dec 5, 2024

@GuySartorelli 3 options:

Option A

  • No changes except to try and get paragonie/constant_time_encoding, psr/http-message, and phpunit/phpunit to next major
  • Least amount of work
  • Widest compatibility
  • Highest chance of projects not getting important patches

Option B

  • Update all deps to latest minor e.g. intervention/image:^3.7 => ^3.9
  • Restricted compatibility
  • Low chance of projects not getting important patches

Option C

  • Update all deps to latest patch e.g. intervention/image:^3.7 => ^3.9.1
  • Most restricted compatibility
  • Lowest chance of projects not getting important patches
  • Maybe a little confusing looking at composer.json in future cos would assume we needed patch to fix specific bug, which is not the case
  • Does not match how we have done deps in the past

Recommendation

I'm personally not a fan of the "widest compatibility" idea with option A, where it does make the upgrade to CMS 6 easier if there is something other third-party dep that only works with some old version of the dep, but at the cost of not getting potentially important bugfixes / security fixes, and it also widens our maintenance surface. We are probably not doing any favors in that scenario

Option C is probably overkill as no one installs with --prefer lowest in the real world and patch versions are unlikely to cause compatibility issues

My preference is we go with option B - do you have any objection to that?

@GuySartorelli
Copy link
Member

Definitely not C.
I prefer A for compatibility but in reality almost everything uses caret constraints so the chance of compatibility problems with option B is very low.

Tl;dr either A or B is fine 👍

@emteknetnz
Copy link
Member Author

Cool with go with B

This was referenced Dec 5, 2024
@GuySartorelli
Copy link
Member

@emteknetnz I'm getting this when trying to build CMS 5 now:

Problem 1
    - silverstripe/recipe-testing[3.0.0, ..., 3.x-dev] require silverstripe/behat-extension ^5 -> satisfiable by silverstripe/behat-extension[5.0.0, ..., 5.x-dev].
    - silverstripe/behat-extension 5.x-dev is an alias of silverstripe/behat-extension dev-master and thus requires it to be installed too.
    - silverstripe/behat-extension[5.0.0, ..., 5.x-dev] require silverstripe/mink-facebook-web-driver ^2 -> satisfiable by silverstripe/mink-facebook-web-driver[2.x-dev].
    - silverstripe/behat-extension dev-master requires php ^7.2 -> your php version (8.1; overridden via config.platform, actual: 8.3.14) does not satisfy that requirement.
    - silverstripe/mink-facebook-web-driver 2.x-dev requires php ^8.3 -> your php version (8.1; overridden via config.platform, actual: 8.3.14) does not satisfy that requirement.
    - Root composer.json requires silverstripe/recipe-testing ^3 -> satisfiable by silverstripe/recipe-testing[3.0.0, ..., 3.x-dev].

I think the wrong branch may have been used for recipe testing, behat extension, or the mink one.

@emteknetnz
Copy link
Member Author

Likely mink-facebook webdriver - have made pr silverstripe/MinkFacebookWebDriver#32

@GuySartorelli
Copy link
Member

PRs merged - reassigned to Steve for next steps

@GuySartorelli
Copy link
Member

PRs merged

@emteknetnz emteknetnz changed the title Nov 2024 - Upgrade third-party composer dependencies Upgrade third-party composer dependencies Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants