Issue #3198340 by alexpott, xjm, Mile23, cilefen, mmjvb, catch, Mixologic, effulgentsia, mfb, longwave, larowlan, greg.1.anderson, Warped, quietone: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available

composer/Generator/Builder/DrupalCoreRecommendedBuilder.php

@@ -41,7 +41,7 @@ class DrupalCoreRecommendedBuilder extends DrupalPackageBuilder {
       // If there is no 'source' record, then this is a path repository
       // or something else that we do not want to include.
       if (isset($package['source']) && !in_array($package['name'], $remove_list)) {
-        $composer['require'][$package['name']] = $package['version'];
+        $composer['require'][$package['name']] = '~' . $package['version'];
       }
     }
     return $composer;
@@ -56,7 +56,7 @@ class DrupalCoreRecommendedBuilder extends DrupalPackageBuilder {
     return [
       "name" => "drupal/core-recommended",
       "type" => "metapackage",
-      "description" => "Locked core dependencies; require this project INSTEAD OF drupal/core.",
+      "description" => "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",
       "license" => "GPL-2.0-or-later",
       "conflict" => [
         "webflo/drupal-core-strict" => "*",

composer/Metapackage/CoreRecommended/composer.json

@@ -1,60 +1,60 @@
 {
     "name": "drupal/core-recommended",
     "type": "metapackage",
-    "description": "Locked core dependencies; require this project INSTEAD OF drupal/core.",
+    "description": "Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.",
     "license": "GPL-2.0-or-later",
     "conflict": {
         "webflo/drupal-core-strict": "*"
     },
     "require": {
         "drupal/core": "10.0.x-dev",
-        "asm89/stack-cors": "v2.1.1",
-        "composer/semver": "3.3.2",
-        "doctrine/annotations": "1.13.2",
-        "doctrine/lexer": "1.2.3",
-        "egulias/email-validator": "3.1.2",
-        "guzzlehttp/guzzle": "7.4.4",
-        "guzzlehttp/promises": "1.5.1",
-        "guzzlehttp/psr7": "2.2.1",
-        "masterminds/html5": "2.7.5",
-        "pear/archive_tar": "1.4.14",
-        "pear/console_getopt": "v1.4.3",
-        "pear/pear-core-minimal": "v1.10.11",
-        "pear/pear_exception": "v1.0.2",
-        "psr/cache": "3.0.0",
-        "psr/container": "2.0.2",
-        "psr/event-dispatcher": "1.0.0",
-        "psr/http-client": "1.0.1",
-        "psr/http-factory": "1.0.1",
-        "psr/http-message": "1.0.1",
-        "psr/log": "3.0.0",
-        "ralouphie/getallheaders": "3.0.3",
-        "symfony/console": "v6.1.1",
-        "symfony/dependency-injection": "v6.1.0",
-        "symfony/deprecation-contracts": "v3.1.0",
-        "symfony/error-handler": "v6.1.0",
-        "symfony/event-dispatcher": "v6.1.0",
-        "symfony/event-dispatcher-contracts": "v3.1.0",
-        "symfony/http-foundation": "v6.1.1",
-        "symfony/http-kernel": "v6.1.1",
-        "symfony/mime": "v6.1.1",
-        "symfony/polyfill-ctype": "v1.26.0",
-        "symfony/polyfill-iconv": "v1.26.0",
-        "symfony/polyfill-intl-grapheme": "v1.26.0",
-        "symfony/polyfill-intl-idn": "v1.26.0",
-        "symfony/polyfill-intl-normalizer": "v1.26.0",
-        "symfony/polyfill-mbstring": "v1.26.0",
-        "symfony/polyfill-php80": "v1.26.0",
-        "symfony/process": "v6.1.0",
-        "symfony/psr-http-message-bridge": "v2.1.2",
-        "symfony/routing": "v6.1.1",
-        "symfony/serializer": "v6.1.1",
-        "symfony/service-contracts": "v3.1.0",
-        "symfony/string": "v6.1.0",
-        "symfony/translation-contracts": "v3.1.0",
-        "symfony/validator": "v6.1.1",
-        "symfony/var-dumper": "v6.1.0",
-        "symfony/yaml": "v6.1.0",
-        "twig/twig": "v3.3.10"
+        "asm89/stack-cors": "~v2.1.1",
+        "composer/semver": "~3.3.2",
+        "doctrine/annotations": "~1.13.2",
+        "doctrine/lexer": "~1.2.3",
+        "egulias/email-validator": "~3.1.2",
+        "guzzlehttp/guzzle": "~7.4.4",
+        "guzzlehttp/promises": "~1.5.1",
+        "guzzlehttp/psr7": "~2.2.1",
+        "masterminds/html5": "~2.7.5",
+        "pear/archive_tar": "~1.4.14",
+        "pear/console_getopt": "~v1.4.3",
+        "pear/pear-core-minimal": "~v1.10.11",
+        "pear/pear_exception": "~v1.0.2",
+        "psr/cache": "~3.0.0",
+        "psr/container": "~2.0.2",
+        "psr/event-dispatcher": "~1.0.0",
+        "psr/http-client": "~1.0.1",
+        "psr/http-factory": "~1.0.1",
+        "psr/http-message": "~1.0.1",
+        "psr/log": "~3.0.0",
+        "ralouphie/getallheaders": "~3.0.3",
+        "symfony/console": "~v6.1.1",
+        "symfony/dependency-injection": "~v6.1.0",
+        "symfony/deprecation-contracts": "~v3.1.0",
+        "symfony/error-handler": "~v6.1.0",
+        "symfony/event-dispatcher": "~v6.1.0",
+        "symfony/event-dispatcher-contracts": "~v3.1.0",
+        "symfony/http-foundation": "~v6.1.1",
+        "symfony/http-kernel": "~v6.1.1",
+        "symfony/mime": "~v6.1.1",
+        "symfony/polyfill-ctype": "~v1.26.0",
+        "symfony/polyfill-iconv": "~v1.26.0",
+        "symfony/polyfill-intl-grapheme": "~v1.26.0",
+        "symfony/polyfill-intl-idn": "~v1.26.0",
+        "symfony/polyfill-intl-normalizer": "~v1.26.0",
+        "symfony/polyfill-mbstring": "~v1.26.0",
+        "symfony/polyfill-php80": "~v1.26.0",
+        "symfony/process": "~v6.1.0",
+        "symfony/psr-http-message-bridge": "~v2.1.2",
+        "symfony/routing": "~v6.1.1",
+        "symfony/serializer": "~v6.1.1",
+        "symfony/service-contracts": "~v3.1.0",
+        "symfony/string": "~v6.1.0",
+        "symfony/translation-contracts": "~v3.1.0",
+        "symfony/validator": "~v6.1.1",
+        "symfony/var-dumper": "~v6.1.0",
+        "symfony/yaml": "~v6.1.0",
+        "twig/twig": "~v3.3.10"
     }
 }

core/tests/Drupal/Tests/Composer/Generator/BuilderTest.php

@@ -25,13 +25,13 @@ class BuilderTest extends TestCase {
         [
           'name' => 'drupal/core-recommended',
           'type' => 'metapackage',
-          'description' => 'Locked core dependencies; require this project INSTEAD OF drupal/core.',
+          'description' => 'Core and its dependencies with known-compatible minor versions. Require this project INSTEAD OF drupal/core.',
           'license' => 'GPL-2.0-or-later',
           'require' =>
           [
             'drupal/core' => Composer::drupalVersionBranch(),
-            'symfony/polyfill-ctype' => 'v1.12.0',
-            'symfony/yaml' => 'v3.4.32',
+            'symfony/polyfill-ctype' => '~v1.12.0',
+            'symfony/yaml' => '~v3.4.32',
           ],
           'conflict' =>
           [

core/tests/Drupal/Tests/ComposerIntegrationTest.php

@@ -52,6 +52,9 @@ class ComposerIntegrationTest extends UnitTestCase {
    * @dataProvider providerTestComposerJson
    */
   public function testComposerTilde($path) {
+    if (preg_match('#composer/Metapackage/CoreRecommended/composer.json$#', $path)) {
+      $this->markTestSkipped("$path has tilde");
+    }
     $content = json_decode(file_get_contents($path), TRUE);
     $composer_keys = array_intersect(['require', 'require-dev'], array_keys($content));
     if (empty($composer_keys)) {
@@ -78,7 +81,7 @@ class ComposerIntegrationTest extends UnitTestCase {
     $data = [];
     $composer_json_finder = $this->getComposerJsonFinder(realpath(__DIR__ . '/../../../../'));
     foreach ($composer_json_finder->getIterator() as $composer_json) {
-      $data[] = [$composer_json->getPathname()];
+      $data[$composer_json->getPathname()] = [$composer_json->getPathname()];
     }
     return $data;
   }