Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update v1/composer.lock using composer1 update #5717

Merged
merged 1 commit into from
Oct 6, 2022
Merged

Update v1/composer.lock using composer1 update #5717

merged 1 commit into from
Oct 6, 2022

Conversation

jeffwidman
Copy link
Member

@jeffwidman jeffwidman commented Sep 14, 2022
edited
Loading

Used composer1 update to update the v1/composer.lock file:

[dependabot-core-dev] ~/dependabot-core/composer/helpers/v1 $ composer1 update
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies (including require-dev)
Nothing to install or update
Package php-cs-fixer/diff is abandoned, you should avoid using it. No replacement was suggested.
Writing lock file
Generating autoload files
28 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

I suspect the reason that Dependabot hasn't opened PR's to bump these versions is because they're transitive dependencies.

I opened a sister PR for composer v2, but keeping them separate in case we need to revert anything:
#5718

@jeffwidman jeffwidman requested a review from jurre September 14, 2022 00:49
@jeffwidman jeffwidman requested a review from a team as a code owner September 14, 2022 00:49
@jeffwidman jeffwidman mentioned this pull request Sep 14, 2022
Closed
@jeffwidman jeffwidman marked this pull request as draft September 15, 2022 07:12
@jeffwidman jeffwidman force-pushed the run-composer1-update branch 2 times, most recently from ed0a758 to f70b050 Compare September 15, 2022 09:48
@jeffwidman jeffwidman marked this pull request as ready for review September 15, 2022 09:49
deivid-rodriguez
deivid-rodriguez approved these changes Sep 15, 2022
View reviewed changes
Copy link
Contributor

@deivid-rodriguez deivid-rodriguez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine! Not feel super confident when reviewing PRs for ecosystems I don't know since I don't know how stable this kind of thing is there, but I think our standard practice is to try keep everything up to date and mainly trust CI, so should be fine!

jurre
jurre approved these changes Sep 15, 2022
View reviewed changes
Copy link
Member

@jurre jurre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably fine, if tests are passing let's just roll it out and keep an eye on production metrics etc

@jeffwidman
Copy link
Member Author

That's the spirit guys! Nothing like a good YOLO merge! 😀

Also, I hear there's this bot that can help keep your dependencies up to date... maybe if they ever add support for bumping transitive dependencies we could try it out. 😉

@jeffwidman
Update v1/composer.lock using composer1 update
a220495 
Used `composer1 update` to update the `v1/composer.lock` file:
```
[dependabot-core-dev] ~/dependabot-core/composer/helpers/v1 $ composer1 update
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies (including require-dev)
Nothing to install or update
Package php-cs-fixer/diff is abandoned, you should avoid using it. No replacement was suggested.
Writing lock file
Generating autoload files
28 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
```

I suspect the reason that Dependabot hasn't opened PR's to bump these
versions is because they're transitive dependencies.

I will open a sister PR for `composer` v2, but keeping them separate in
case we need to revert anything.
@jeffwidman jeffwidman force-pushed the run-composer1-update branch from f70b050 to a220495 Compare October 6, 2022 01:14
@jeffwidman jeffwidman merged commit 3386585 into dependabot:main Oct 6, 2022
@jeffwidman jeffwidman deleted the run-composer1-update branch October 6, 2022 02:08
@pavera pavera mentioned this pull request Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurre jurre jurre approved these changes

@deivid-rodriguez deivid-rodriguez deivid-rodriguez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeffwidman @jurre @deivid-rodriguez