Switching to tilde constraints for controlled updates #676
Comments
AlexSkrypnyk
added
the
State: Needs triage
|
Note: you would need |
|
I've been using this new way on many projects currently and it has proven to be a good way to prevent accidental updates. |
|
I'm not a 100% convinced by this. I expect people to understand that bit of semantic versioning to understand that they will always get the latest Drupal in a branch with the circumflex character. I also don't like needing to manually update composer.json for minor core updates. Biggest downside in m opinion is that we would need to maintain the composer.json more often. But on the other hand I've also seen more breaking changes in minor versions than in the past and I also see other people wanting more fine-grained control of the version installed. |
|
I have used the tilde version in several projects in conjunction with automated updates for dependencies and it worked really well. I have yet to see a single minor Drupal core update on a consumer site that would not require an additional code change, meaning that minor Drupal updates require manual intervention in most cases. Changing the version in composer.json is trivial compared to changes required to the rest of the codebase. My concern is that people may think that minor core updates are similar to contrib updates but in reality they have BC changes. Especially with D11 deprecations. |
|
Yeah but then we maybe leave that to the users of that project. Either this or that you'll probably find users being confused by either way. Some by updating too far, some by not being able to update anymore the way they are used to. If you find a way to automate this, like a dependency bot providing the MR for every minor release, I'd be willing to give it a try though. |
The current caret constraint
^10.2allows versions>=10.2.0 <11.0.0. With the recent Drupal update to10.3, projects using this template without acomposer.lockfile received Drupal10.3updates. This affected automated builds relying on this project as a consistent base for testing, causing builds to break without any code changes.The existing constraints provide a convenient way for existing projects created using this project to avoid updating
composer.jsonand only updatecomposer.lockwhen new versions are released. This is beneficial.However, for projects that are just starting, the
composer.jsoncontains10.2as a lower constraint that the team of this project must maintain. If a consumer project maintainer is unaware of the current version of Drupal, they might think they are getting10.2but actually receive10.3.Considering that minor Drupal versions have API changes and deprecations, there is a high chance that consumer project maintainers would not update their core minor versions automatically by only running
composer update. They would need to ensure contrib modules work correctly with the new core version and perform testing. Thus, they would consciously update theircomposer.lockand possiblycomposer.jsonto include a new version of Drupal core rather than relying on a constraint. The convenience of the^caret constraint for non-Drupal PHP packages may not apply here.Proposal
Switch to a tilde constraint for this project to receive versions
>=10.2.0 <10.3.0on consumer projects and automated builds. The project team will still update the version constraint incomposer.jsonto the most recent Drupal version, but consumer sites (and automated builds) will have a more controlled environment.The update process for the consumer site would now be:
drupal/core-*to~10.3incomposer.jsoncomposer update --with-dependenciesIf we decide to stick with
^, we should at least describe this issue in detail so that project maintainers can make conscious decisions about how they receive updates.Note: I've used
10.2and10.3as example versions here, but the same will apply to any other minor versions in the future.The text was updated successfully, but these errors were encountered: