Skip to content

Easily identify direct composer dependencies #37

New issue
New issue
Open
#46
#41
Open
Easily identify direct composer dependencies#37
#46
#41
@peterjaap

Description

@peterjaap
peterjaap
opened on Sep 6, 2022

This could be done by making them bold, or by sorting the list on direct & indirect.

For example, here's how Private Packagist updates our issues with a changelog;

image

Activity

davidrjonas

davidrjonas commented on Sep 9, 2022

@davidrjonas
davidrjonas
on Sep 9, 2022 via email
Owner
gisostallenberg

gisostallenberg commented on Oct 28, 2022

@gisostallenberg
gisostallenberg
on Oct 28, 2022

I also really like the column Operation, by which you could easily identify downgrades.
@peterjaap are you going to give a PR a try?

peterjaap

peterjaap commented on Nov 3, 2022

@peterjaap
peterjaap
on Nov 3, 2022 · edited by peterjaap
Author

Hmm I did a little bit of investigating and the code looks in the composer.lock file and uses that to compare. However, the composer.lock file does not hold any information on whether the package mentioned is a direct or indirect dependency.

A way to extract that information is to run composer show --direct but we obviously can't run this command on the previous composer.lock state since that is retrieved from the Git repostiroy.

The way how composer does this internally is by fetching the require list from the composer.json; https://github.com/composer/composer/blob/a63ce7cf96441a32ba70ef63b924c84422e91a98/src/Composer/Command/ShowCommand.php#L682

So the approach here would be to also load the composer.json contents, get the require list from that file, match the packages in composer.lock against those and that way define which are direct and which are indirect.

peterjaap

peterjaap commented on Nov 3, 2022

@peterjaap
peterjaap
on Nov 3, 2022
Author

Quick & dirty small diff that adds an asterix to direct dependencies;

diff --git a/composer-lock-diff b/composer-lock-diff
index b665439..1ad1e4d 100755
--- a/composer-lock-diff
+++ b/composer-lock-diff
@@ -6,13 +6,15 @@ $opts = parseOpts();
 $changes = array();
 $data_from = load($opts['from'], $opts['path'], $opts['vcs'], '');
 $data_to   = load($opts['to'],   $opts['path'], $opts['vcs'], 'composer.lock');
+$composerJson = json_decode(file_get_contents('composer.json'), true);
+$directComposerPackages = array_keys($composerJson['require']);
 
 if (! $opts['only-dev']) {
-    $changes['changes'] = diff('packages', $data_from, $data_to);
+    $changes['changes'] = diff('packages', $data_from, $data_to, $directComposerPackages);
 }
 
 if (! $opts['only-prod']) {
-    $changes['changes-dev'] = diff('packages-dev', $data_from, $data_to);
+    $changes['changes-dev'] = diff('packages-dev', $data_from, $data_to, $directComposerPackages);
 }
 
 if ($opts['json']) {
@@ -42,7 +44,7 @@ foreach($changes as $k => $diff) {
     print tableize($table_titles[$k], $diff, $table_opts);
 }
 
-function diff($key, $data_from, $data_to) {
+function diff($key, $data_from, $data_to, $directComposerPackages) {
 
     $pkgs = array();
 
@@ -62,9 +64,19 @@ function diff($key, $data_from, $data_to) {
             $pkgs[$pkg->name][1] = version($pkg);
             $pkgs[$pkg->name][2] = makeCompareUrl($pkg, $pkgs);
         }
+
     }
 
-    return $pkgs;
+    foreach ($pkgs as $name => $data) {
+        if (in_array($name, $directComposerPackages)) {
+            $result[$name . '*'] = $data;
+        } else {
+            $result[$name] = $data;
+        }
+    }
+
+
+    return $result;
 }
 
 function version($pkg)
@@ -487,4 +499,3 @@ EOF;
     exit(0);
 }
davidrjonas
linked a pull request that will close this issueSeparate out direct dependencies #41on Nov 6, 2022
davidrjonas

davidrjonas commented on Nov 6, 2022

@davidrjonas
davidrjonas
on Nov 6, 2022
Owner

Thanks for the diff! I'd like to implement this a little differently though. The information is read from exactly the same file path, vcs or not, with the extension changed from .lock to .json. For the output, I tried the asterisk but I didn't really like it. It was okay, but I thought displaying them separately would be better. What do you think of this markdown output? (The parens were used because HTML was breaking the line into two when there were spaces around Direct)

Production Changes From To Compare
~(Direct)~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~ ~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
caseysoftware/marvel-helper 1.1.2 2.0.0 ...
doctrine/dbal 2.2.0 v2.9.2 ...
ircmaxell/random-lib v1.1.0 v1.2.0 ...
ircmaxell/security-lib 1.0.0 v1.1.0 ...
monolog/monolog 1.10.0 895066e ...
payintegrator/afterpay 1.5.0 2.0.0 ...
pmjones/fake 0.0.1 0.2.0 ...
~(Indirect)~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~ ~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
doctrine/common 2.2.3 REMOVED
guzzle/guzzle v3.7.4 REMOVED
guzzlehttp/guzzle 6.2.3 6.5.5 ...
guzzlehttp/promises v1.3.1 1.5.1 ...
guzzlehttp/psr7 1.6.1 1.8.3 ...
psr/log 1.1.0 1.1.4 ...
symfony/event-dispatcher v4.3.3 REMOVED
symfony/event-dispatcher-contracts v1.1.5 REMOVED
doctrine/cache NEW 1.12.1
doctrine/event-manager NEW 1.1.1
symfony/polyfill-intl-idn NEW v1.25.0
symfony/polyfill-intl-normalizer NEW v1.25.0
symfony/polyfill-php72 NEW v1.25.0

And this table output,

+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+
| Production Changes                 | From   | To      | Compare                                                                                         |
+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+
| ~(Direct)~~~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~ | ~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| caseysoftware/marvel-helper        | 1.1.2  | 2.0.0   | https://gitlab.com/CaseySoftware/marvel-php/compare/1.1.2...2.0.0                               |
| doctrine/dbal                      | 2.2.0  | v2.9.2  | https://github.com/doctrine/dbal/compare/2.2.0...v2.9.2                                         |
| ircmaxell/random-lib               | v1.1.0 | v1.2.0  | https://github.com/ircmaxell/RandomLib/compare/v1.1.0...v1.2.0                                  |
| ircmaxell/security-lib             | 1.0.0  | v1.1.0  | https://github.com/ircmaxell/SecurityLib/compare/1.0.0...v1.1.0                                 |
| monolog/monolog                    | 1.10.0 | 895066e | https://github.com/Seldaek/monolog/compare/1.10.0...895066e                                     |
| payintegrator/afterpay             | 1.5.0  | 2.0.0   | https://bitbucket.org/afterpay-plugins/afterpay-composer-package/branches/compare/2.0.0%0D1.5.0 |
| pmjones/fake                       | 0.0.1  | 0.2.0   | https://gitlab.com/pmjones/fake/compare/0.0.1...0.2.0                                           |
| ~(Indirect)~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~ | ~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| doctrine/common                    | 2.2.3  | REMOVED |                                                                                                 |
| guzzle/guzzle                      | v3.7.4 | REMOVED |                                                                                                 |
| guzzlehttp/guzzle                  | 6.2.3  | 6.5.5   | https://github.com/guzzle/guzzle/compare/6.2.3...6.5.5                                          |
| guzzlehttp/promises                | v1.3.1 | 1.5.1   | https://github.com/guzzle/promises/compare/v1.3.1...1.5.1                                       |
| guzzlehttp/psr7                    | 1.6.1  | 1.8.3   | https://github.com/guzzle/psr7/compare/1.6.1...1.8.3                                            |
| psr/log                            | 1.1.0  | 1.1.4   | https://github.com/php-fig/log/compare/1.1.0...1.1.4                                            |
| symfony/event-dispatcher           | v4.3.3 | REMOVED |                                                                                                 |
| symfony/event-dispatcher-contracts | v1.1.5 | REMOVED |                                                                                                 |
| doctrine/cache                     | NEW    | 1.12.1  |                                                                                                 |
| doctrine/event-manager             | NEW    | 1.1.1   |                                                                                                 |
| symfony/polyfill-intl-idn          | NEW    | v1.25.0 |                                                                                                 |
| symfony/polyfill-intl-normalizer   | NEW    | v1.25.0 |                                                                                                 |
| symfony/polyfill-php72             | NEW    | v1.25.0 |                                                                                                 |
+------------------------------------+--------+---------+-------------------------------------------------------------------------------------------------+

I'm not sure I like it, but I'm not coming up with any other good ideas for display right now.

peterjaap

peterjaap commented on Nov 9, 2022

@peterjaap
peterjaap
on Nov 9, 2022
Author

@davidrjonas I like it! Maybe hide the direct/indirect header when there are none?

+----------------------------------+---------+-----------+----------------------------------------------------------------------+
| Production Changes               | From    | To        | Compare                                                              |
+----------------------------------+---------+-----------+----------------------------------------------------------------------+
| ~ Direct ~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~ | ~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| ~ Indirect ~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~ | ~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| box/spout                        | v3.3.0  | v2.7.3    | https://github.com/box/spout/compare/v3.3.0...v2.7.3                 |
| magento/module-csp               | 100.4.4 | REMOVED   |                                                                      |
| smile/elasticsuite               | 2.10.11 | 2.10.12.1 | https://github.com/Smile-SA/elasticsuite/compare/2.10.11...2.10.12.1 |
| magento/module-inventory         | NEW     | 1.2.3     |                                                                      |
| magento/module-inventory-api     | NEW     | 1.2.3     |                                                                      |
| sivaschenko/magento2-clean-media | NEW     | 1.1.1     |                                                                      |
+----------------------------------+---------+-----------+----------------------------------------------------------------------+
peterjaap

peterjaap commented on Nov 9, 2022

@peterjaap
peterjaap
on Nov 9, 2022
Author

@davidrjonas hmm I now noticed that table is incorrect, the smile/elasticsuite and sivaschenko/magento2-clean-media packages are actually direct dependencies.

cweiske
added a commit that references this issue on Nov 28, 2024

Separate tables for changes in direct and indirect dependencies

5fa7c7b
cweiske
linked a pull request that will close this issue on Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @peterjaap@davidrjonas@gisostallenberg

      Issue actions
        Easily identify direct composer dependencies · Issue #37 · davidrjonas/composer-lock-diff