Login/Register
What is the best practice for handling composer abandoned packages?
Asked Answered
Solved drupalcomposer-php
U

1

9

When I run composer updates I'll occasionally get messages that packages are abandoned and I should use a different one instead, like Package webflo/drupal-core-require-dev is abandoned, you should avoid using it. Use drupal/core-dev instead. I don't have experience with Composer so I'm curious as to what is seen as the best practice for replacing outdated packages.

Where do these messages come from? I'm unsure if the source is always reliable.

Ulrikaumeko answered 30/12, 2019 at 22:48 Comment(1)
I recommend leaving this question open. People who are new to package managers will find it valuable. Very minor edit proposed removing the request for an 'opinion'.Wilden
W
4

I think the best practice is quite clear from the message "you should avoid using it". How/When to do this is not as clear. Abandoned packages will not receive updates, but composer will not be able to tell you how difficult it will be to transition to the recommended alternative. It might be that all you have to do is replace the package, because it was only a name change or having to modify your code as well.

In your case webflo/drupal-core-require-dev only contains a composer.json and the required packages match with what the alternative drupal/core-dev provides. That means replacing the package should be as easy as changing the name in your composer.json and then do a composer update drupal/core-dev.

For packages where the answer is not as straightforward, you have to rely on automated/manual tests to see if everything still works. Static code analysis tools might help as well. You will have to set them up before you do the change, so that you can see how their output differs and fix the new issues that come up.

You should do the switch to the new dependency as early as possible. Leaving it in will likely cause more work in the future when replacing it and might pose a security risk (if it is outdated and insecure). I understand that this is not always possible and using something like roave/security-advisories to tell you when there are known security issues in a package might help postponing it and giving some sense of security.

Wingard answered 31/12, 2019 at 0:35 Comment(4)
Thank you for the well detailed response, as someone who is completely new to composer and most web development this is all pretty new to me. Usually when I install something new with composer I'll just say composer require drupal/module. In this case when editing composer.json, do I just replace the one line webflo/drupal-core-require-dev with ` drupal/core-dev`, or is there a safer way to do it?Ulrikaumeko
Yes, changing the composer.json is ok, but you should never modify the composer.lock. If you make changes, composer will tell you if they are not yet applied to the lock yet. Then all you have to do is run update, but be careful not to update unwanted packages. That is why you should append the package name or use something like composer update --lock, which will not update any packages. You could probably also use commands like remove & require, but splitting this up into single commands might lead to problems in the intermediate steps, e.g. due to missing packages.Wingard
Looks like you are facing a slightly special case converting from drupal-project/drupal-composer to composer in core. See youtu.be/ddPL91oHQdU?t=1824. For more general composer scenarios, you would not typically edit either composer.json or composer.lock directly. People needing more generic composer usage instructions should consider $ composer remove {{old package}} and then $ composer require {{new package}}.Wilden
This answer not not apply to in my case. I asked about it here: drupal.stackexchange.com/q/302682/12076 - with dditional details.Roer

© 2022 - 2024 — McMap. All rights reserved.