New composer behaviour #245
Description
With the release of composer 2.9 comes new behaviour we need to consider.
Automatic Security Blocking
By default composer now avoid installing packages with known CVE's. This can results in non-installable package requirements, c.f. os2forms_forloeb_profile.
roblem 1
- Root composer.json requires os2forms/os2forms ^3.6 || ^4 || ^5 -> satisfiable by os2forms/os2forms[3.6.0, ..., 3.22.2, 4.0.0, 4.1.0, 5.0.0].
- drupal/diff[dev-1.x, 1.8.0, ..., 1.x-dev, 2.0.0-beta3] require drupal/core ^10 || ^11 -> satisfiable by drupal/core[10.0.x-dev, ..., 10.6.x-dev].
- os2forms/os2forms[3.6.0, ..., 3.22.2, 4.0.0, ..., 4.1.0, 5.0.0] require drupal/diff ^1.0 -> satisfiable by drupal/diff[1.8.0, 1.9.0, 1.x-dev].
- Conclusion: don't install drupal/core 10.0.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.1.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.2.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.3.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.4.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.5.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.6.x-dev (conflict analysis result)
- Conclusion: don't install drupal/core 10.4.9 (conflict analysis result)
- Conclusion: don't install drupal/core 10.5.6 (conflict analysis result)
- Conclusion: don't install drupal/core 10.5.7 (conflict analysis result)
- Conclusion: don't install drupal/core 10.6.0-beta1 (conflict analysis result)
- Conclusion: don't install drupal/core 10.6.0-rc1 (conflict analysis result)- How do we handle this?
- Should there be some sort of governance for this?
- Who is responsible for issues that may now occur as a result of composer 2.9?