Issue #3350568 by Wim Leers, phenaproxima, catch, tedbow, TravisCarden: Drop...

Issue #3350568 by Wim Leers, phenaproxima, catch, tedbow, TravisCarden: Drop support for Composer 2.2, require Composer >=2.5.5

dictionary.txt

@@ -10,5 +10,4 @@ unwritable
 filedate
 unshallow
 hhvm
-tmpdir
 proc_open

drupalci.yml

@@ -9,6 +9,8 @@ build:
       # Run code quality checks.
       container_command.commit-checks:
         commands:
+          # Update to Composer 2.5.5.
+          - composer self-update 2.5.5
           # @todo Replace in favor of commit-code-check.sh once https://www.drupal.org/project/drupal/issues/3314100 lands.
           - modules/contrib/automatic_updates/scripts/commit-code-check.sh --drupalci
         halt-on-fail: true

package_manager/src/ComposerInspector.php

@@ -51,18 +51,14 @@ class ComposerInspector implements LoggerAwareInterface {
    * A semantic version constraint for the supported version(s) of Composer.
    *
    * Only versions supported by Composer are supported: the LTS and the latest
-   * minor version. Those are currently 2.2 and 2.5.
+   * minor version. Those are currently (May 2023) 2.2 and 2.5, but will be 2.5
+   * and 2.6 later this year (December 2023): the 2.2 LTS ends in December 2023.
    *
    * @see https://endoflife.date/composer
    *
-   * Note that Composer <= 2.2.11 is not supported anymore due to a security
-   * vulnerability.
-   *
-   * @see https://blog.packagist.com/cve-2022-24828-composer-command-injection-vulnerability/
-   *
    * @var string
    */
-  final public const SUPPORTED_VERSION = '~2.2.12 || ^2.5';
+  final public const SUPPORTED_VERSION = '~2.5.5 || ^2.6';
 
   /**
    * Constructs a ComposerInspector object.
@@ -261,12 +257,7 @@ class ComposerInspector implements LoggerAwareInterface {
     catch (RuntimeException $e) {
       // Assume any error from `composer config` is about an undefined key-value
       // pair which may have a known default value.
-      // @todo Remove this in https://www.drupal.org/i/3350568.
       switch ($key) {
-        // @see https://getcomposer.org/doc/04-schema.md#minimum-stability
-        case 'minimum-stability':
-          return 'stable';
-
         case 'extra':
           return '{}';
 
@@ -473,36 +464,6 @@ class ComposerInspector implements LoggerAwareInterface {
     return $invalidate;
   }
 
-  /**
-   * Tries to convert a string value from ::getConfig() to a boolean.
-   *
-   * For boolean config values, `composer config` returns `true` or `false` as
-   * of Composer 2.5.5, but older versions return `1` or `0`. This function
-   * normalizes the discrepancy.
-   *
-   * You should call this method if you're calling ::getConfig() to retrieve a
-   * config value that will be, or may be a boolean (e.g., `allow-plugins`). See
-   * https://getcomposer.org/doc/06-config.md for documentation on all the
-   * possible config values that `composer config` can expose.
-   *
-   * @param string $value
-   *   The value to convert. Must be one of '1', 'true', '0', or 'false'.
-   *
-   * @return bool
-   *   The value, as a boolean.
-   *
-   * @see https://getcomposer.org/doc/06-config.md
-   *
-   * @throws \UnhandledMatchError
-   *   If the given value cannot be converted to a boolean.
-   */
-  public static function toBoolean(string $value): bool {
-    return match ($value) {
-      '1', 'true' => TRUE,
-      '0', 'false' => FALSE,
-    };
-  }
-
   /**
    * Returns the value of `allow-plugins` config setting.
    *
@@ -516,17 +477,12 @@ class ComposerInspector implements LoggerAwareInterface {
    * @see https://getcomposer.org/doc/06-config.md#allow-plugins
    */
   public function getAllowPluginsConfig(string $dir): array|bool {
-    // If `allow-plugins` is `false`, Composer 2.5.4 and earlier has no output.
-    $value = $this->getConfig('allow-plugins', $dir) ?? 'false';
+    $value = $this->getConfig('allow-plugins', $dir);
+
+    // Try to convert the value we got back to a boolean. If it's not a boolean,
+    // it should be an array of plugin-specific flags.
+    $value = json_decode($value, TRUE, flags: JSON_THROW_ON_ERROR);
 
-    // Try to convert the value we got back to a boolean. If that can't be done,
-    // assume it's an array of plugin-specific flags and parse it as JSON.
-    try {
-      $value = static::toBoolean($value);
-    }
-    catch (\UnhandledMatchError) {
-      $value = json_decode($value, TRUE, flags: JSON_THROW_ON_ERROR);
-    }
     // An empty array indicates that no plugins are allowed.
     return $value ?: [];
   }

package_manager/src/ProcessFactory.php

@@ -69,24 +69,6 @@ final class ProcessFactory implements ProcessFactoryInterface {
     $env = $process->getEnv();
     if ($this->isComposerCommand($command)) {
       $env['COMPOSER_HOME'] = $this->getComposerHomePath();
-      // Work around Composer not being designed to be run massively in parallel
-      // which it may in the context of Package Manager, at least for tests. It
-      // is trivial to work around though: create a unique temporary directory
-      // per process.
-      // @see https://www.drupal.org/i/3338789#comment-14961390
-      // @see https://github.com/composer/composer/commit/28e9193e9ebde743c19f334a7294830fc6429d06
-      // @see https://github.com/composer/composer/commit/43eb471ec293822d377b618a4a14d8d3651f5d13
-      // @todo Remove this once Composer 2.5.5 is required in https://www.drupal.org/i/3350568 (2.5.5 is the first release to contain the upstream fix: https://github.com/composer/composer/releases/tag/2.5.5)
-      static $race_condition_proof_tmpdir;
-      if (!isset($race_condition_proof_tmpdir)) {
-        $race_condition_proof_tmpdir = sys_get_temp_dir() . '/' . getmypid();
-        // The same PHP process may run multiple tests: create the directory
-        // only once.
-        if (!is_dir($race_condition_proof_tmpdir)) {
-          mkdir($race_condition_proof_tmpdir);
-        }
-      }
-      $env['TMPDIR'] = $race_condition_proof_tmpdir;
     }
     // Ensure that the current PHP installation is the first place that will be
     // searched when looking for the PHP interpreter.

package_manager/src/Validator/ComposerValidator.php

@@ -83,7 +83,7 @@ final class ComposerValidator implements EventSubscriberInterface {
     $settings = [];
     foreach (['disable-tls', 'secure-http'] as $key) {
       try {
-        $settings[$key] = ComposerInspector::toBoolean($this->composerInspector->getConfig($key, $dir) ?: '0');
+        $settings[$key] = json_decode($this->composerInspector->getConfig($key, $dir));
       }
       catch (\Throwable $e) {
         $event->addErrorFromThrowable($e, $this->t('Unable to determine Composer <code>@key</code> setting.', [

package_manager/tests/src/Kernel/ComposerInspectorTest.php

@@ -217,10 +217,12 @@ class ComposerInspectorTest extends PackageManagerKernelTestBase {
    *
    * @covers ::validate
    *
-   * @testWith ["2.2.12", null]
-   *   ["2.2.13", null]
-   *   ["2.5.0", null]
+   * @testWith ["2.2.12", "<default>"]
+   *   ["2.2.13", "<default>"]
+   *   ["2.5.0", "<default>"]
+   *   ["2.5.5", null]
    *   ["2.5.11", null]
+   *   ["2.6.0", null]
    *   ["2.2.11", "<default>"]
    *   ["2.2.0-dev", "<default>"]
    *   ["2.3.6", "<default>"]

package_manager/tests/src/Kernel/LockFileValidatorTest.php

@@ -51,8 +51,8 @@ class LockFileValidatorTest extends PackageManagerKernelTestBase {
     $inspector = $this->prophesize(ComposerInspector::class);
     $arguments = Argument::cetera();
     $inspector->getConfig('allow-plugins', $arguments)->willReturn('[]');
-    $inspector->getConfig('secure-http', $arguments)->willReturn('1');
-    $inspector->getConfig('disable-tls', $arguments)->willReturn('0');
+    $inspector->getConfig('secure-http', $arguments)->willReturn('true');
+    $inspector->getConfig('disable-tls', $arguments)->willReturn('false');
     $inspector->getConfig('extra', $arguments)->willReturn('{}');
     $inspector->getConfig('minimum-stability', $arguments)->willReturn('stable');
     $inspector->getInstalledPackagesList($arguments)->willReturn(new InstalledPackagesList());