Why is Composer installing an old version when it isn't specified?

Question

When I do:

composer require deployer/deployer

I get the following output:

Info from https://repo.packagist.org: #StandWithUkraine
Using version ^4.3 for deployer/deployer
./composer.json has been updated
Running composer update deployer/deployer
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - deployer/deployer[v4.3.0, ..., 4.x-dev] require monolog/monolog ^1.21 -> found monolog/monolog[1.21
.0, ..., 1.x-dev] but the package is fixed to 2.3.5 (lock file version) by a partial update and that vers
ion does not match. Make sure you list it as an argument for the update command.
    - Root composer.json requires deployer/deployer ^4.3 -> satisfiable by deployer/deployer[v4.3.0, ...,
 4.x-dev].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

deployer/deployer is not in the project's composer.json or composer.lock, so what could possibly be requring the relatively ancient version of the package that doesn't seem to be supported by any other package in my Laravel 8 project?

Nowadays, you should install such libraries from a PHAR to avoid incompatibilities with your project's requirements. Also, unless you want to use Deployer code in your application's code, you should install it using `--dev` — Nico Haase, Mar 25 '22 at 06:58
@NicoHaase Isn't the whole point of Composer's dependency management to avoid incompatibilities? Regarding dev dependencies, I originally installed it as one but then read more about dev dependencies and it seems they are stripped out on the production server when running `npm run prod`? Wouldn't this be incompatible with `deployer` as it needs to stay on the production server? — Hashim Aziz, Mar 25 '22 at 14:32
I have no clue what `npm run prod` in your environment does, but if Deployer requires some libraries in version X and your own application requires the same libraries in a different version, you will get into trouble. Also, it could happen that you want to update your own applications libraries, but Deployer hasn't done that for it's requirements, and this blocks the update. PHPUnit had problems with this in the past, and the official recommendation on their side is not to use Composer for this — Nico Haase, Mar 25 '22 at 14:35
@NicoHaase Sorry, I meant the Composer equivalent `composer install --no-dev`. The whole point of using dev dependencies in Composer is I assume to be able to run `composer install --no-dev` when deploying to strip out dev dependencies, but won't this be a problem if I need Deployer to be on the server? — Hashim Aziz, Mar 25 '22 at 14:58
If you need Deployer on the server, it might be fine to install it that way. But even the documentation at https://deployer.org/docs/7.x/installation tells you to use `--dev` — Nico Haase, Mar 25 '22 at 15:07
@NicoHaase Yeah I saw that at first too, it's part of what confused me, but I just remembered something I read about how `deployer` works - it runs locally and executes its commands over SSH, which I'm guessing is why it's safe to install it as a dev dependency. — Hashim Aziz, Mar 25 '22 at 15:12
you might need deployer on your server, but you certainly don't need it within the app on the server. don't user composer on the server at all btw.. create your package and deploy it instead. — hakre, Jul 07 '22 at 05:23

Don't Panic · Accepted Answer · 2022-03-25T15:45:48.803

2

Since you're using PHP 8, 4.3 is the latest version of deployer/deployer that composer has determined to be compatible with your PHP version and minimum stability requirement.

v7 has no stable release yet, but it is the version you need to use with PHP 8.
You can use the release candidate with composer require deployer/deployer:^7.0@RC, or if you set "minimum-stability": "RC" in your composer.json, then composer require deployer/deployer should install it.
v6 requires "php": "^7.2".
I believe this is equivalent to >=7.2 <8.0.0, according to the composer manual.
v5 requires "php": "~7.0" (meaning >=7.0 <8.0)
v4 requires "php": ">=5.6.0" (meaning anything above 5.6.0)
This old version is the one you're getting because it's the only version composer can attempt to install due to the constraints I mentioned above. I don't know if it really is compatible with PHP 8, but I doubt it.

edited Mar 25 '22 at 15:45

answered Mar 24 '22 at 19:24

Don't Panic

41,125
10
61
80

I'm not sure who downvoted your answer (probably the same person who downvoted my question), but I am on PHP 8 so it's possible you're right. It's really strange that the latest version of such a big project doesn't support even the early versions of PHP 8.0, almost two years after it was released. Although what's even stranger is that V4.3 of the project *would* support PHP 8 - how's something like that possible? – Hashim Aziz Mar 24 '22 at 19:53
It is a weird effect, but I really doubt it's what they had in mind. I think this is just an unintended consequence of using the open-ended PHP version constraint in the older version. – Don't Panic Mar 24 '22 at 20:00

Why is Composer installing an old version when it isn't specified?

1 Answers1