composer 2.2 requires plugins to be allowed to run code
Open, In Progress, MediumPublic
Actions

Description

$ composer outdated
wikimedia/composer-merge-plugin contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "wikimedia/composer-merge-plugin" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] ?
y - add package to allow-plugins in composer.json and let it run immediately
n - add package (as disallowed) to allow-plugins in composer.json to suppress further prompts
d - discard this, do not change composer.json and do not allow the plugin to run
? - print help
Do you trust "wikimedia/composer-merge-plugin" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
<snip>
$ git diff
diff --git a/composer.json b/composer.json
index 7ed377e6..1194d72e 100644
--- a/composer.json
+++ b/composer.json
@@ -5,7 +5,10 @@
                "optimize-autoloader": true,
                "prepend-autoloader": false,
                "vendor-dir": ".",
-               "sort-packages": true
+               "sort-packages": true,
+               "allow-plugins": {
+                       "wikimedia/composer-merge-plugin": true
+               }
        },
        "prefer-stable": true,
        "require": {

https://github.com/composer/composer/releases/tag/2.2.0

https://getcomposer.org/doc/06-config.md#allow-plugins

We probably want to add wikimedia/composer-merge-plugin to allow-plugins in composer.json for MW core and MediaWiki-Vendor by default.

Details

Project	Branch	Lines +/-	Subject
mediawiki/core	master	+1 -0	composer.json: Temporarily allow composer/package-versions-deprecated plugin
mediawiki/core	master	+4 -1	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/core	REL1_36	+4 -1	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/core	REL1_35	+4 -1	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/core	REL1_37	+4 -1	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/vendor	REL1_35	+21 -5	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/vendor	REL1_36	+20 -4	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/vendor	REL1_37	+21 -5	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins
mediawiki/vendor	master	+19 -3	composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

Customize query in gerrit

Event Timeline

Reedy created this task.Dec 23 2021, 11:01 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 23 2021, 11:01 PM

Reedy updated the task description. (Show Details)Dec 23 2021, 11:03 PM

Reedy updated the task description. (Show Details)

Change 749797 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@master] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/749797

Change 749798 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/749798

Reedy moved this task from Backlog to Features/Improvements on the Composer board.Dec 23 2021, 11:21 PM

Change 749797 merged by jenkins-bot:

[mediawiki/vendor@master] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/749797

Change 751448 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_37] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751448

Change 751449 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_36] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751449

Change 751450 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_35] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751450

Change 751448 merged by Reedy:

[mediawiki/vendor@REL1_37] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751448

Change 751449 merged by Reedy:

[mediawiki/vendor@REL1_36] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751449

Change 751450 merged by Reedy:

[mediawiki/vendor@REL1_35] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751450

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.17; 2022-01-10).Jan 4 2022, 5:00 PM

Change 751197 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_37] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751197

Change 751198 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_36] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751198

Change 751199 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_35] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751199

Change 751199 merged by jenkins-bot:

[mediawiki/core@REL1_35] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751199

Change 749798 merged by jenkins-bot:

[mediawiki/core@master] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/749798

Change 751197 merged by jenkins-bot:

[mediawiki/core@REL1_37] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751197

Change 751198 merged by jenkins-bot:

[mediawiki/core@REL1_36] composer.json: Add wikimedia/composer-merge-plugin to allow-plugins

https://gerrit.wikimedia.org/r/751198

Need to work out how we want to handle this longer term...

doctrine/dbal depends on composer/package-versions-deprecated which also needs allowing

https://packagist.org/packages/composer/package-versions-deprecated seems to be longer term deprecated... But that's an aside.

They've added their composer 2.2 support in https://github.com/doctrine/dbal/commit/6cb7287d8ca650403bebcb919ef02b985bc7e40b but not released... We could add it in our own composer.json until we bring in a newer release (when it is released), and then remove it later (as I think it shouldn't be needed then...)

Reedy removed a project: Patch-For-Review.Jan 4 2022, 10:54 PM

Change 751514 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] composer.json: Temporarily allow composer/package-versions-deprecated plugin

https://gerrit.wikimedia.org/r/751514

gerritbot added a project: Patch-For-Review.Jan 4 2022, 10:56 PM

ReleaseTaggerBot added projects: MW-1.37-notes, MW-1.35-notes, MW-1.36-notes.Jan 4 2022, 11:00 PM

Change 751514 merged by jenkins-bot:

[mediawiki/core@master] composer.json: Temporarily allow composer/package-versions-deprecated plugin

https://gerrit.wikimedia.org/r/751514

Zabe removed a project: Patch-For-Review.Jan 25 2022, 9:47 AM

CtrlZvi added a subscriber: CtrlZvi.Feb 20 2022, 10:09 PM

Reedy changed the task status from Open to In Progress.Feb 25 2022, 12:43 AM

Reedy triaged this task as Medium priority.

There seems to be one more thing to consider: My setup right now looks like this:

mediawiki/core cloned in a directory
extensions cloned inside /mediawiki/core/extensions
a composer.local.json, which will be merged into the main composer.json file, with the following contents (stripped away unnecessary things):

	"extra": {
		"merge-plugin": {
			"include": [
				"extensions/*/composer.json"
			]
		}
	}

This will result in extension composer.jsons merged into the main one during runtime. However, if an extension intends to install a plugin (e.g. composer/installers from UniversalLanguageSelector), it will be merged, but this one is not within the allow-plugins list of plugins that are allowed, prompting me to allow this plugin (or not, depending on what I want to choose).
I already tried to add additional allow-plugins config to the composer.local.json but it seems that the composer-merge-plugin does not merge configs (?), resulting in the same issue. Not sure if that would also mean, that a specific config on the extensions composer.json level will work or not, when merged.

It looks like config was never included to be merged in, possibly because there wasn't a need for it? - https://github.com/wikimedia/composer-merge-plugin#plugin-configuration

https://github.com/wikimedia/composer-merge-plugin/blob/47be3c0633f981937e4242c442e4faf5711a06e7/src/MergePlugin.php#L52-L57

* By default the "extra" section is not merged. This can be enabled by
* setitng the 'merge-extra' key to true. In normal mode, when the same key is
* found in both the original and the imported extra section, the version in
* the original config is used and the imported version is skipped. If
* 'replace' mode is active, this behaviour changes so the imported version of
* the key is used, replacing the version in the original config.

Maybe "we" need to add a merge-config (like merge-dev/merge-extra/merge-scripts) or similar

Probably worth filing an issue at https://github.com/wikimedia/composer-merge-plugin, we're probably not the only ones with this issue

In T298283#7737562, @Reedy wrote:
It looks like config was never included to be merged in, possibly because there wasn't a need for it? - https://github.com/wikimedia/composer-merge-plugin#plugin-configuration

https://github.com/wikimedia/composer-merge-plugin/blob/47be3c0633f981937e4242c442e4faf5711a06e7/src/MergePlugin.php#L52-L57
* By default the "extra" section is not merged. This can be enabled by
* setitng the 'merge-extra' key to true. In normal mode, when the same key is
* found in both the original and the imported extra section, the version in
* the original config is used and the imported version is skipped. If
* 'replace' mode is active, this behaviour changes so the imported version of
* the key is used, replacing the version in the original config.
Maybe "we" need to add a merge-config (like merge-dev/merge-extra/merge-scripts) or similar

Probably worth filing an issue at https://github.com/wikimedia/composer-merge-plugin, we're probably not the only ones with this issue

-> https://github.com/wikimedia/composer-merge-plugin/issues/229 :)

Krinkle moved this task from Blocker to Not a blocker on the MW-1.36-release board.Mar 23 2022, 8:43 PM

Krinkle moved this task from Blocker to Not a blocker on the MW-1.35-release board.

Lucas_Werkmeister_WMDE added a subscriber: Lucas_Werkmeister_WMDE.Apr 29 2022, 9:23 AM

Reedy removed a project: MW-1.36-release.May 18 2022, 7:06 PM

Reedy moved this task from Blocker to Not a blocker on the MW-1.37-release board.May 21 2022, 8:17 AM

kostajh added a subscriber: kostajh.Fri, Jun 3, 3:41 PM

Daimona added a subscriber: Daimona.Fri, Jun 3, 4:11 PM

composer 2.2 requires plugins to be allowed to run codeOpen, In Progress, MediumPublicActions

Description

Details

Event Timeline

composer 2.2 requires plugins to be allowed to run code
Open, In Progress, MediumPublic
Actions