You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've discovered that dependabot is not aware of the merged requirements or repositories added by composer-merge-plugin. This is intentional as dependabot does not run plugin scripts and likely never will. So in a way the two are not compatible.
Worst still, however, is that Dependabot's composer update will then not know about the requirements and strip them from the resulting lock file. This is intentional. As far as composer is concerned the new updated package meant these packages were no longer needed and so are removed since there is no longer a requirement for them anywhere (scripts didn't run.)
I think the way to resolve this potentially is for merge plugin to actually write the merged repository and requirements to the composer JSON file. Could this be a valid feature request?
It has two advantages:
Currently when you merge a composer JSON and commit - in a code review you would never see what is merged. So any new repository definitions that get added will not be reviewable. By merging into composer.json directly you would see these. This enhances the security as at the moment if you merge in a composer JSON and it gets updated you'd never know what changes happened and it could add spurious repository definitions.
When Dependabot or other tools run without scripts - it wouldn't matter - all requirements and repositories are in the composer JSON file.
For now we're doing the merge manually into composer JSON as it gives both benefits.
The text was updated successfully, but these errors were encountered:
Hello
We've discovered that dependabot is not aware of the merged requirements or repositories added by composer-merge-plugin. This is intentional as dependabot does not run plugin scripts and likely never will. So in a way the two are not compatible.
Worst still, however, is that Dependabot's composer update will then not know about the requirements and strip them from the resulting lock file. This is intentional. As far as composer is concerned the new updated package meant these packages were no longer needed and so are removed since there is no longer a requirement for them anywhere (scripts didn't run.)
I think the way to resolve this potentially is for merge plugin to actually write the merged repository and requirements to the composer JSON file. Could this be a valid feature request?
It has two advantages:
For now we're doing the merge manually into composer JSON as it gives both benefits.
The text was updated successfully, but these errors were encountered: