Composer dependencies default to installing an out of date version of SimpleSAMLphp

[nathanjrobertson]

I'm trying to track down some weird behaviour in the simplesamlphp composer dependencies. If you try to install the latest stable simplesamlphp-module-sqlauth in a fresh install it installs simplesamlphp/simplesamlphp 2.4.2, not 2.4.3:

nathanr@tezro:~/tmp$ mkdir ssphp-test2
nathanr@tezro:~/tmp$ cd ssphp-test2/
nathanr@tezro:~/tmp/ssphp-test2$ composer require simplesamlphp/simplesamlphp-module-sqlauth
./composer.json has been created
Running composer update simplesamlphp/simplesamlphp-module-sqlauth
Loading composer repositories with package information
Updating dependencies
Lock file operations: 59 installs, 0 updates, 0 removals
[...]
  - Locking simplesamlphp/assert (v1.9.1)
  - Locking simplesamlphp/composer-module-installer (v1.5.1)
  - Locking simplesamlphp/composer-xmlprovider-installer (v1.0.2)
  - Locking simplesamlphp/saml2 (v5.0.1)
  - Locking simplesamlphp/saml2-legacy (v4.19.0)
  - Locking simplesamlphp/simplesamlphp (v2.4.2)
  - Locking simplesamlphp/simplesamlphp-assets-base (v2.3.11)
  - Locking simplesamlphp/simplesamlphp-module-sqlauth (v1.3.1)
  - Locking simplesamlphp/xml-common (v1.23.2)
  - Locking simplesamlphp/xml-security (v1.12.0)
  - Locking simplesamlphp/xml-soap (v1.6.0)
[...]

nathanr@tezro:~/tmp/ssphp-test2$ composer update -W
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
38 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.
nathanr@tezro:~/tmp/ssphp-test2$

I see there are composer.json changes in simplesamlphp 2.4.3 (simplesamlphp/simplesamlphp@v2.4.2...v2.4.3#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34), where the simplesamlphp/simplesamlphp-assets-base version was bumped, and simplesamlphp/xml-common became an explicit dependency (more recent version than the transitive dependency version that was previously installed).

When I explicitly tell composer to install the updated packages, it updates nothing. However when I run explicitly list the packages to update the "--with-all-dependencies" (-W) flag it downgrades a four dependent packages and upgrades simplesamlphp itself:

nathanr@tezro:~/tmp/ssphp-test2$ composer require simplesamlphp/simplesamlphp:2.4.3 simplesamlphp/simplesamlphp-assets-base:~2.4.0 simplesamlphp/xml-common:^1.24.2 -W
./composer.json has been updated
Running composer update simplesamlphp/simplesamlphp simplesamlphp/simplesamlphp-assets-base simplesamlphp/xml-common --with-all-dependencies
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 10 updates, 0 removals
  - Downgrading guzzlehttp/psr7 (2.8.0 => 2.7.1)
  - Downgrading simplesamlphp/assert (v1.9.1 => v1.8.2)
  - Downgrading simplesamlphp/composer-module-installer (v1.5.1 => v1.4.0)
  - Upgrading simplesamlphp/saml2 (v5.0.1 => v5.0.4)
  - Upgrading simplesamlphp/simplesamlphp (v2.4.2 => v2.4.3)
  - Upgrading simplesamlphp/simplesamlphp-assets-base (v2.3.11 => v2.4.3)
  - Upgrading simplesamlphp/xml-common (v1.23.2 => v1.25.1)
  - Upgrading simplesamlphp/xml-security (v1.12.0 => v1.13.7)
  - Upgrading simplesamlphp/xml-soap (v1.6.0 => v1.7.1)
  - Locking symfony/expression-language (v6.4.24)
  - Downgrading webmozart/assert (1.12.0 => 1.11.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 10 updates, 0 removals
  - Downgrading guzzlehttp/psr7 (2.8.0 => 2.7.1): Extracting archive
  - Downgrading webmozart/assert (1.12.0 => 1.11.0): Extracting archive
  - Downgrading simplesamlphp/assert (v1.9.1 => v1.8.2): Extracting archive
  - Downgrading simplesamlphp/composer-module-installer (v1.5.1 => v1.4.0): Extracting archive
  - Upgrading simplesamlphp/xml-common (v1.23.2 => v1.25.1): Extracting archive
  - Upgrading simplesamlphp/xml-soap (v1.6.0 => v1.7.1): Extracting archive
  - Upgrading simplesamlphp/xml-security (v1.12.0 => v1.13.7): Extracting archive
  - Upgrading simplesamlphp/saml2 (v5.0.1 => v5.0.4): Extracting archive
  - Upgrading simplesamlphp/simplesamlphp-assets-base (v2.3.11 => v2.4.3): Extracting archive
  - Installing symfony/expression-language (v6.4.24): Extracting archive
  - Upgrading simplesamlphp/simplesamlphp (v2.4.2 => v2.4.3): Extracting archive
Generating autoload files
39 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.
nathanr@tezro:~/tmp/ssphp-test2$

The end result is that master of simplesamlphp-module-sqlauth isn't installable with the latest release of simplesamlphp, as it wants to downgrade simplesamlphp/assert:

nathanr@tezro:~/tmp/ssphp-test2$ composer require simplesamlphp/simplesamlphp-module-sqlauth:dev-master
./composer.json has been updated
Running composer update simplesamlphp/simplesamlphp-module-sqlauth
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires simplesamlphp/simplesamlphp-module-sqlauth dev-master -> satisfiable by simplesamlphp/simplesamlphp-module-sqlauth[dev-master].
    - simplesamlphp/simplesamlphp-module-sqlauth dev-master requires simplesamlphp/assert ~1.9.1 -> found simplesamlphp/assert[v1.9.1] but the package is fixed to v1.8.2 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.
nathanr@tezro:~/tmp/ssphp-test2$

So, I think there's some sort of version clash between various SimpleSAMLphp modules and their required version of simplesamlphp/assert.

[tvdijen]

This is correct. I'm preparing all modules to be compatible with the soon-to-be-released v2.5.0.
You should be able to use it together with 2.5.0-rc1

[nathanjrobertson]

This is correct. I'm preparing all modules to be compatible with the soon-to-be-released v2.5.0. You should be able to use it together with 2.5.0-rc1

Does that mean that composer.json for sqlauth in master should become "simplesamlphp/simplesamlphp": ">= "2.5.0-rc1"

[tvdijen]

Yes, but that will make it complain about minimum stability.. It's horrible and I don't think there's a right way to do this besides keeping the period where things are broken as short as possible

[nathanjrobertson]

Fair enough. In this case, I'm testing, so happy to use 2.5.0-rc.

Having said that, perhaps it might be ok that composer complains about stability in this case. The master branch is not a stable release, and not expected to be used in a production environment, and what is in master doesn't work properly against the current stable SimpleSAMLphp release.

After the SimpleSAMLphp 2.5 release is it intended that composer.json for sqlauth will be updated to "simplesamlphp/simplesamlphp": "^2.5.0" ?

[tvdijen]

Yes, I will release new versions of all modules requiring PHP 8.2 and SSP 2.5.x