1

Just pushed a package to packagist:

composer require rokfor/rokfor-slim:dev-master

It's returning the error

Your requirements could not be resolved to an installable set of packages.

  Problem 1
  - Installation request for rokfor/rokfor-slim 
    dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
  - rokfor/rokfor-slim dev-master requires 
    jlndk/slim-jade ^1.0 -> no matching package found.

If I'm checking out like

$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install

Everything installs just fine.

I think I'm missing something crucial here. Is it not allowed to push a package to packagist with a source from a vcs repository?

The composer.json looks like:

{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
    {
        "name": "Rokfor",
        "homepage": "http://www.rokfor.ch"
    }
],
"repositories": [
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-jade"
    },
    {
        "type": "vcs",
        "url": "https://github.com/Rokfor/rokfor-php-db"
    },
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-auth"
    }
],
"require": {
    "php": ">=5.5.0",
    "slim/slim": "~3.0",
    "jlndk/slim-jade": "^1.0",
    "rokfor/db": "dev-versioning",
    "monolog/monolog": "^1.17",
    "slim/csrf": "^0.6.0",
    "jeremykendall/slim-auth": "dev-slim-3.x",
    "slim/flash": "^0.1.0",
    "akrabat/rka-ip-address-middleware": "^0.4.0",
    "palanik/corsslim": "dev-slim3",
    "erusev/parsedown": "^1.6",
    "predis/predis": "^1.0",
    "lcobucci/jwt": "^3.1",
    "ext-gd": "*"
},
"require-dev": {
    "phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}
rokfor
  • 147
  • 1
  • 11
  • You are missing google... http://stackoverflow.com/questions/20996767/requirements-could-not-be-resolved-to-an-installable-set-of-packages – nerdlyist Sep 13 '16 at 15:28
  • Well I'm not seeing exactly how the other link is helpful: It's about wrong requirements for sure, but a `composer update` works without problems once the package itself is installed (via `git clone` and `composer install`). my point is that a direct `composer require` does not work. – rokfor Sep 13 '16 at 17:24
  • You can manually install by editing the json or git and then composer update will work. You have to manually do it to get around this. – nerdlyist Sep 13 '16 at 17:31
  • So there is no way to push a package to packagist with dependencies on github? – rokfor Sep 13 '16 at 21:12

1 Answers1

1

In a library, you cannot reference anything other than libraries that are available on packagist.org. Or you instruct your users to reference an additional source for package information.

Adding vcs and package repositories is only allowed for the root composer.json, which you cannot influence as a library other than instructing your users to do additional things beyond composer require your/lib. Which is kind of annoying, and also may be subject to security considerations, because this will not only open the door for your individual library, but for ANY library as well.

And as you did with "jlndk/slim-jade" (which the original author published from his repository as 0.0.1, and another author re-published it without adding it to packagist or changing the lib's name, adding the version tag 1.0), any additional source of package information can potentially add more package information, i.e. add a newer, malicious version of e.g. a symfony package.

Sven
  • 69,403
  • 10
  • 107
  • 109