New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Revert unneeded peer-dep-pin and re-gen lock file #7618
Conversation
@@ -5,7 +5,6 @@ | |||
"icanhazstring/composer-unused": "^0.8.11", | |||
"maglnet/composer-require-checker": "^4.7.1", | |||
"mi-schi/phpmd-extension": "^4.3.0", | |||
"pdepend/pdepend": "~2.15.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we somehow prevent installing wrong version?
eg require version of direct dependencies that enforce high-level peer-dependencies, or with conflicts?
i imagine someone installing with --prefer-lowest etc, and getting broken variant of this lib
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other repo should do that, not us. It's wrong for us to intrude in that way, or even assume they will keep using that lib at all. The risk is low anyway IMO, since the intended use case is to install from lock file.
@Wirone , you were one introducing it, want to give a green light ? |
I kind of agree with @GrahamCampbell that it's Mess Detector's responsibility to provide proper constraints (that would exclude invalid version of its dependency). It was a hack to ensure proper MD work, but at this point we can lock on newer, working release. |
Closes #7517.