Page MenuHomePhabricator
Create Task
Maniphest T119711

Let update.php check for composer updates in extensions
Open, HighPublic
Actions

Description

update.php already checks for core composer dependencies being up to date, but does not check any of your extensions for similar out of date or newly added dependencies.

Today in the IRC channel I had to help a user who had updated his installation to 1.26 and ran into trouble over this, because his SyntaxHighlight extension was still using older pygments version. I think it should be easy enough to expand checkComposerLockUpToDate.php to advise users about which extensions might require a run of composer update as well.

Details

SubjectRepoBranchLines +/-
update.php: Check for outdated composer deps of extensionsmediawiki/coremaster+46 -5
Customize query in gerrit

Related Objects

Event Timeline

TheDJ created this task.Nov 26 2015, 1:56 PM
TheDJ raised the priority of this task from to Needs Triage.
TheDJ updated the task description. (Show Details)
TheDJ added projects: MediaWiki-Maintenance-system, SyntaxHighlight.
TheDJ subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 26 2015, 1:56 PM
Aklapper triaged this task as High priority.Nov 26 2015, 2:18 PM

Saw another posting about this problem. Tentatively setting higher priority if this becomes a common issue for confusion while we want a more seamless upgrade process.

ori added a project: MediaWiki-General.Dec 12 2015, 11:52 AM
ori set Security to None.
ori added subscribers: Legoktm, bd808.
Aklapper mentioned this in T119403: Meeting with MW Stakeholders and WMF.Dec 12 2015, 1:11 PM
Legoktm added a comment.Dec 31 2015, 3:40 AM

Now that T119766: Composer's autoloader should be autoloaded in extension registry (if configured) is resolved, we should definitely be able to do this.

Krenair moved this task from Backlog to update.php on the MediaWiki-Maintenance-system board.Jan 16 2016, 4:18 AM
gerritbot subscribed.Aug 14 2017, 7:03 PM

Change 371965 had a related patch set uploaded (by TheDJ; owner: TheDJ):
[mediawiki/core@master] update.php: Check for outdated composer deps of extensions

https://gerrit.wikimedia.org/r/371965

gerritbot added a project: Patch-For-Review.Aug 14 2017, 7:03 PM
TheDJ added a project: Composer.Sep 7 2017, 3:14 PM
gerritbot added a comment.Nov 13 2017, 10:52 PM

Change 371965 abandoned by TheDJ:
update.php: Check for outdated composer deps of extensions

https://gerrit.wikimedia.org/r/371965

Tgr mentioned this in T187128: Automated MediaWiki upgrade tool that handles updating the files.Feb 12 2018, 10:58 PM
Seb35 subscribed.Sep 30 2018, 1:23 PM

I tested the patch with various extensions: without composer.json (LanguageTool), with composer.json containing a 'require' section, with composer.json without 'require' section. The first type is correctly detected, the second correctly says if the composer.lock inside the extension directory is obsolete, and the third type says there is no composer.lock file (it’s true but it’s normal in production).

I guess the patch was abandonned because the extension directory does not mandatorily contain a composer.lock file, the alternative scenario is the composer.json was registered in MW’s main composer.json in 'merge-plugin' section. At my knowledge these are the two scenarios to autoload Composer librairies in extensions. If correct the patch could be improved to check that composer.json 'require' section from extension directory match either composer.lock in extension directory either the global composer.lock.

Seb35 added a comment.Sep 30 2018, 2:00 PM

Also if this is implemented there could be "false" warnings because of T141225, because extensions could use version ranges (e.g. 2.3.*) in their Composer requirements.

It could be necessary to discuss this before implementing this change, because it will impact all extensions using Composer requirements with a policy not as strict as MediaWiki core’s one: either the users will start asking (legitimately) why they got warnings during updates either the extension mainteners would have to change their policy.

TheDJ added a comment.Sep 30 2018, 8:47 PM

I guess the patch was abandonned because the extension directory does not mandatorily contain a composer.lock file

It was abandoned because no one showed interest in it. I find it better to abandon such patches, rather than having them stay open for months and giving the vibe that someone (/me) will still be working on it.

Krinkle edited projects, added MediaWiki-Installer; removed MediaWiki-Maintenance-system.Apr 3 2020, 3:01 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 3 2020, 3:11 PM
Esanders moved this task from Backlog to Third party support on the SyntaxHighlight board.Jan 3 2021, 1:47 PM
Reedy mentioned this in T273570: Make ComposerJson check that composer-merge-plugin changes are satisfied.Feb 2 2021, 2:01 AM
Reedy moved this task from Backlog to Features/Improvements on the Composer board.Feb 2 2021, 2:05 AM
Reedy moved this task from General to Database updater on the MediaWiki-Installer board.Jan 30 2024, 3:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits