Page MenuHomePhabricator
Create Task
Maniphest T404868

composer merge plugin does not fail when dependency is not satisfied (was: Error: Class "Pimple\Container" not found)
Open, Needs TriagePublic
Actions

Description

https://integration.wikimedia.org/ci/job/quibble-composer-mysql-php82/5454/console

15:24:44 Skipping importing data from cu_changes to central index tables as the table is empty
15:24:44 Skipping importing data from cu_log_event to central index tables as the table is empty
15:24:44 Skipping importing data from cu_private_event to central index tables as the table is empty
15:24:44 [fe8499732810c313fc8c1936] [no req]   Error: Class "Pimple\Container" not found
15:24:44 Backtrace:
15:24:44 from /workspace/src/extensions/Flow/includes/Container.php(5)
15:24:44 #0 /workspace/src/includes/AutoLoader.php(277): require_once()
15:24:44 #1 /workspace/src/extensions/Flow/maintenance/FlowSetUserIp.php(41): AutoLoader::autoload()
15:24:44 #2 /workspace/src/maintenance/includes/LoggedUpdateMaintenance.php(51): Flow\Maintenance\FlowSetUserIp->doDBUpdates()
15:24:44 #3 /workspace/src/maintenance/update.php(207): MediaWiki\Maintenance\LoggedUpdateMaintenance->execute()
15:24:44 #4 /workspace/src/maintenance/includes/MaintenanceRunner.php(703): UpdateMediaWiki->execute()
15:24:44 #5 /workspace/src/maintenance/doMaintenance.php(100): MediaWiki\Maintenance\MaintenanceRunner->run()
15:24:44 #6 /workspace/src/maintenance/update.php(308): require_once(string)
15:24:44 #7 {main}
15:24:44 <<< Finish: Install MediaWiki, db=<MySQL /workspace/db/quibble-mysql-pv0pjsyc/socket>, in 3.935 s

Related Objects

Event Timeline

Reedy created this task.Sep 17 2025, 2:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 17 2025, 2:29 PM
Reedy added a project: ci-test-error (WMF-deployed Build Failure).Sep 17 2025, 2:30 PM
A_smart_kitten subscribed.Sep 17 2025, 2:38 PM

At a first glance, seems similar to T393670: CheckUser REL1_44 CI blocked with 'Error: Class "Pimple\Container" not found', which IIRC was a symptom of T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support?

hashar added a comment.Sep 17 2025, 2:38 PM

This is for a patch to patch targetting WebAuthn with branch REL1_43.

Flow fails because pimple/pimple is not available, despite it being defined in its composer.json

Looking at the build output, the composer merge plugin failed to resolve the dependencies and fallback to the previous composer.lock which only has mediawiki/core dependencies:

Your requirements could not be resolved to an installable set of packages.
[25.9MiB/9.41s] 
  Problem 1
    - mediawiki/minus-x is locked to version 1.1.3 and an update of this package was not requested.
    - Root composer.json requires web-auth/webauthn-lib ~3.3.12 -> satisfiable by web-auth/webauthn-lib[v3.3.12].
    - mediawiki/minus-x 1.1.3 requires symfony/console ^3.3.5 || ^4 || ^5 || ^6 || ^7 -> satisfiable by symfony/console[v7.3.3].
    - symfony/console v7.3.3 conflicts with symfony/process v5.4.47.
    - symfony/console v7.3.3 conflicts with symfony/process v5.3.2.
    - symfony/console v7.3.3 conflicts with symfony/process v5.0.11.
    - symfony/console v7.3.3 conflicts with symfony/process v4.4.44.
    - symfony/console v7.3.3 conflicts with symfony/process v4.4.26.
    - symfony/console v7.3.3 conflicts with symfony/process v3.4.47.
    - symfony/console v7.3.3 conflicts with symfony/process v3.3.6.
    - symfony/process[v4.0.0, v4.0.1, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.0.9, v4.0.10, v4.0.11, v4.0.12, v4.0.13, v4.0.14, v4.0.15, v4.1.0, v4.1.1, v4.1.2, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9, v4.1.10, v4.1.11, v4.1.12, v4.2.0, v4.2.1, v4.2.2, v4.2.3, v4.2.4, v4.2.5, v4.2.6, v4.2.7, v4.2.8, v4.2.9, v4.2.10, v4.2.11, v4.2.12, v4.3.0, v4.3.1, v4.3.2, v4.3.3, v4.3.4, v4.3.5, v4.3.6, v4.3.7, v4.3.8, v4.3.9, v4.3.10, v4.3.11, v4.4.0, v4.4.1, v4.4.2, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9, v4.4.10] require php ^7.1.3 -> your php version (8.2.29) does not satisfy that requirement.
    - symfony/process[v5.0.0, v5.0.1, v5.0.2, v5.0.3, v5.0.4, v5.0.5, v5.0.6, v5.0.7, v5.0.8] require php ^7.2.5 -> your php version (8.2.29) does not satisfy that requirement.
    - web-auth/webauthn-lib v3.3.12 requires symfony/process ^3.0|^4.0|^5.0 -> satisfiable by symfony/process[v3.0.0, v3.0.1, v3.0.2, v3.0.3, v3.0.4, v3.0.5, v3.0.6, v3.0.7, v3.0.8, v3.0.9, v3.1.0, v3.1.1, v3.1.2, v3.1.3, v3.1.4, v3.1.5, v3.1.6, v3.1.7, v3.1.8, v3.1.9, v3.1.10, v3.2.0, v3.2.1, v3.2.2, v3.2.3, v3.2.4, v3.2.5, v3.2.6, v3.2.7, v3.2.8, v3.2.9, v3.2.10, v3.2.11, v3.2.12, v3.2.13, v3.2.14, v3.3.0, v3.3.1, v3.3.2, v3.3.3, v3.3.4, v3.3.5, v3.3.6, v3.3.7, v3.3.8, v3.3.9, v3.3.10, v3.3.11, v3.3.12, v3.3.13, v3.3.14, v3.3.15, v3.3.16, v3.3.17, v3.3.18, v3.4.0, v3.4.1, v3.4.2, v3.4.3, v3.4.4, v3.4.5, v3.4.6, v3.4.7, v3.4.8, v3.4.9, v3.4.10, v3.4.11, v3.4.12, v3.4.13, v3.4.14, v3.4.15, v3.4.16, v3.4.17, v3.4.18, v3.4.19, v3.4.20, v3.4.21, v3.4.22, v3.4.23, v3.4.24, v3.4.25, v3.4.26, v3.4.27, v3.4.28, v3.4.29, v3.4.30, v3.4.31, v3.4.32, v3.4.33, v3.4.34, v3.4.35, v3.4.36, v3.4.37, v3.4.38, v3.4.39, v3.4.40, v3.4.41, v3.4.42, v3.4.43, v3.4.44, v3.4.45, v3.4.46, v3.4.47, v4.0.0, v4.0.1, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.0.9, v4.0.10, v4.0.11, v4.0.12, v4.0.13, v4.0.14, v4.0.15, v4.1.0, v4.1.1, v4.1.2, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9, v4.1.10, v4.1.11, v4.1.12, v4.2.0, v4.2.1, v4.2.2, v4.2.3, v4.2.4, v4.2.5, v4.2.6, v4.2.7, v4.2.8, v4.2.9, v4.2.10, v4.2.11, v4.2.12, v4.3.0, v4.3.1, v4.3.2, v4.3.3, v4.3.4, v4.3.5, v4.3.6, v4.3.7, v4.3.8, v4.3.9, v4.3.10, v4.3.11, v4.4.0, v4.4.1, v4.4.2, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.20, v4.4.22, v4.4.25, v4.4.26, v4.4.27, v4.4.30, v4.4.34, v4.4.35, v4.4.36, v4.4.37, v4.4.40, v4.4.41, v4.4.44, v5.0.0, v5.0.1, v5.0.2, v5.0.3, v5.0.4, v5.0.5, v5.0.6, v5.0.7, v5.0.8, v5.0.9, v5.0.10, v5.0.11, v5.1.0, v5.1.1, v5.1.2, v5.1.3, v5.1.4, v5.1.5, v5.1.6, v5.1.7, v5.1.8, v5.1.9, v5.1.10, v5.1.11, v5.2.0, v5.2.1, v5.2.2, v5.2.3, v5.2.4, v5.2.7, v5.2.10, v5.2.11, v5.2.12, v5.3.0, v5.3.2, v5.3.4, v5.3.7, v5.3.11, v5.3.12, v5.3.13, v5.3.14, v5.4.0, v5.4.2, v5.4.3, v5.4.5, v5.4.7, v5.4.8, v5.4.11, v5.4.19, v5.4.21, v5.4.22, v5.4.23, v5.4.24, v5.4.26, v5.4.28, v5.4.34, v5.4.35, v5.4.36, v5.4.39, v5.4.40, v5.4.44, v5.4.45, v5.4.46, v5.4.47].

[23.8MiB/9.41s] 
Update to apply merge settings failed, reverting ./composer.lock to its original content.

I had the exact same issue earlier this week which I have described at T325898#11179830 . The issue is web-auth/webauthn-lib does not support php 8.2, the bug is T363639.

And to top it of, the composer merge plugin should certainly HARD fail when it can't resolves the dependencies :-\

hashar added a comment.Sep 17 2025, 2:49 PM

See:

zuul/parameter_functions.py
# T363639 - WebAuthn won't run on REL1_XX because of library issues
# T390754 - Just don't load WebAuthn at all if it's not master, or it's Parsoid
if (
    'WebAuthn' in ext_deps and (
        not (params['ZUUL_BRANCH'] == 'master' or params['ZUUL_BRANCH'].startswith('wmf/'))
        or params['ZUUL_PROJECT'] == 'mediawiki/services/parsoid'
    )
):
    ext_deps.remove('WebAuthn')

Refs:

I guess we want to generalize the disablement to REL branches, or at least anything that claims to support php8.2.

A_smart_kitten edited projects, added ci-test-error; removed ci-test-error (WMF-deployed Build Failure).Sep 17 2025, 4:02 PM

(swapping tags, AFAICS this isn't currently blocking the 'master' branch; please revert if incorrect!)

Reedy closed this task as Invalid.Sep 22 2025, 3:48 PM
hashar added a comment.Mon, Nov 24, 3:43 PM

Same issue on REL1_39 of ProofreadPage and spotted on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/1193873

hashar reopened this task as Open.Tue, Nov 25, 2:40 PM

I am reopening this in order to address the root cause: the composer merge plugin does not abort / fail when it fails to install, continues execution which eventually leads to class not being found

Update to apply merge settings failed, reverting ./composer.lock to its original content.
hashar renamed this task from Error: Class "Pimple\Container" not found to composer merge plugin does not fail when dependency is not satisfed (was: Error: Class "Pimple\Container" not found).Tue, Nov 25, 2:42 PM
Reedy renamed this task from composer merge plugin does not fail when dependency is not satisfed (was: Error: Class "Pimple\Container" not found) to composer merge plugin does not fail when dependency is not satisfied (was: Error: Class "Pimple\Container" not found).Tue, Nov 25, 3:37 PM
Reedy added a project: MW-1.39-release.Mon, Dec 1, 6:01 PM

WebAuthn CI on REL1_39 is blocked again...

06:08:01 [c441f57306655859177afd4e] [no req]   Error: Class "Pimple\Container" not found
06:08:01 Backtrace:
06:08:01 from /workspace/src/extensions/Flow/includes/Container.php(5)
06:08:01 #0 /workspace/src/includes/AutoLoader.php(244): require_once()
06:08:01 #1 /workspace/src/extensions/Flow/maintenance/FlowSetUserIp.php(41): AutoLoader::autoload()
06:08:01 #2 /workspace/src/maintenance/includes/LoggedUpdateMaintenance.php(45): Flow\Maintenance\FlowSetUserIp->doDBUpdates()
06:08:01 #3 /workspace/src/maintenance/update.php(221): LoggedUpdateMaintenance->execute()
06:08:01 #4 /workspace/src/maintenance/includes/MaintenanceRunner.php(309): UpdateMediaWiki->execute()
06:08:01 #5 /workspace/src/maintenance/doMaintenance.php(85): MediaWiki\Maintenance\MaintenanceRunner->run()
06:08:01 #6 /workspace/src/maintenance/update.php(319): require_once(string)
06:08:01 #7 {main}
``
Reedy moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Mon, Dec 1, 6:26 PM
hashar added a comment.Tue, Dec 2, 8:07 PM

I have dig into last week but missed updating this task. The reason is the composer-merge-plugin silently ignore the error, reset the state of ./vendor and let composer continue the execution.

The code is in a composer hooks POST_INSTALL_CMD and POST_UPDATE_CMD which:

And that is it. Which mean the error is silently ignored. I'd expect an exception to abort it, possibly to be thrown after the lock has been restored.

Krinkle subscribed.EditedWed, Dec 3, 5:44 AM

@hashar Aye, that would produce a more understable CI failure, but a CI failure nonetheless.

I suggest we work on that async, but first What can we do to make CI pass? What can do about Composer 2.9+ refusing to install pimple/pimple for "security reasons"? Is it feasible to upgrade Pimple for Flow in REL1_39? Or do we want to disable this Composer feature more generally? Something else?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits