[wp-trac] [WordPress Trac] #47381: Remove the Composer lock file from version control
WordPress Trac
noreply at wordpress.org
Sat May 25 02:41:01 UTC 2019
#47381: Remove the Composer lock file from version control
------------------------------+---------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.3
Component: Build/Test Tools | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
------------------------------+---------------------
Comment (by ayeshrajans):
Thanks for the ping @johnbillion. I had commented on other Trac issues as
well, and I still think it's a good idea to simplify the logic in the
`travis.yml` and not install PHPUnit globally.
Removal of `composer.lock` file is a big step, and we should evaluate the
pros and cons.
**Reproducible builds**
One of the major reasons to have a `composer.lock` in the first place is
to make sure we get the exact same build in two `composer install` calls.
Drupal and Joomla, both similar software as us and adopted Composer
throughout the software before us, still keep their lock files in the
repo.
With the proposal to use composer to install other dependencies such as
`sodium_compat`, I think it's important to lock down the non-dev
dependencies to a specific commit hash and review dependency updates one
by one. This adds some friction, but it's worth it for a software that
powers 30% of the web :)
Projects such as WordPlate encourage the use of Composer more and more,
and I think as the WordPress Core, we should follow what the rest of the
industry/community does.
**Dev-dependencies**
Although I suggest that we lock non-dev dependencies with a lock files,
dev dependencies are a different story though.
Our major dependency that we cannot lock down is PHPUnit. The current
approach to install a different version globally isn't an elegant
solution, but I understand why that workaround is there.
As a first step, perhaps we can use a `composer require
phpunit/phpunit:^4.0|6.0|^7.0` in the `travus.yml` file, and let composer
pick the appropriate phpunit version depending on the platform.
**npm package lock files**
In the repo, we have the `package-lock.json` file present. I think we
should be consistent in regards to PHP and JS dependencies.
--
Bottom line is that, I think we should keep the `composer.lock` file
considering the tendency of us using composer dependencies in WordPress
such as `sodium_compat`, polyfills, etc. It's considered a good practice
to use lock files in major software, and I think we should follow suit.
Our current phpunit installation approach could use some improvements such
as the use if a single `composer require phpunit/phpunit:^x|^y|^z` command
and remove the if/else blocks in the `travis.yml` file, and also not
assume the global installation of dependencies.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47381#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list