From bd0ef69ef41d6310539b6b29f5f3ca25a57c85d5 Mon Sep 17 00:00:00 2001
From: omkar podey <58183-omkar.podey@users.noreply.drupalcode.org>
Date: Tue, 28 Mar 2023 15:02:47 +0000
Subject: [PATCH] Issue #3347267 by omkar.podey, phenaproxima:
 ComposerMinimumStabilityValidator doesn't check dev packages

---
 .../tests/src/Kernel/ExtensionUpdaterTest.php |  8 ++++----
 .../ComposerMinimumStabilityValidator.php     |  2 +-
 .../ComposerMinimumStabilityValidatorTest.php | 19 ++++++++++++++++---
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/automatic_updates_extensions/tests/src/Kernel/ExtensionUpdaterTest.php b/automatic_updates_extensions/tests/src/Kernel/ExtensionUpdaterTest.php
index 9c5bf5937f..3f0f8f026d 100644
--- a/automatic_updates_extensions/tests/src/Kernel/ExtensionUpdaterTest.php
+++ b/automatic_updates_extensions/tests/src/Kernel/ExtensionUpdaterTest.php
@@ -50,7 +50,7 @@ class ExtensionUpdaterTest extends AutomaticUpdatesExtensionsKernelTestBase {
       'my_module' => '9.8.1',
       // Use a legacy version number to ensure they are converted to semantic
       // version numbers which will work with the drupal.org Composer facade.
-      'my_dev_module' => '8.x-1.2-alpha1',
+      'my_dev_module' => '8.x-1.2-alpha1@alpha',
     ]);
     $user = $this->container->get('current_user')->getAccount();
     // Rebuild the container to ensure the package versions are persisted.
@@ -69,7 +69,7 @@ class ExtensionUpdaterTest extends AutomaticUpdatesExtensionsKernelTestBase {
         'drupal/my_module' => '9.8.1',
       ],
       'dev' => [
-        'drupal/my_dev_module' => '1.2.0-alpha1',
+        'drupal/my_dev_module' => '1.2.0-alpha1@alpha',
       ],
     ];
     $this->assertSame($expected_versions, $extension_updater->claim($id)->getPackageVersions());
@@ -93,13 +93,13 @@ class ExtensionUpdaterTest extends AutomaticUpdatesExtensionsKernelTestBase {
         'require',
         '--dev',
         '--no-update',
-        'drupal/my_dev_module:1.2.0-alpha1',
+        'drupal/my_dev_module:1.2.0-alpha1@alpha',
       ],
       [
         'update',
         '--with-all-dependencies',
         'drupal/my_module:9.8.1',
-        'drupal/my_dev_module:1.2.0-alpha1',
+        'drupal/my_dev_module:1.2.0-alpha1@alpha',
       ],
     ];
     $extension_updater->stage();
diff --git a/package_manager/src/Validator/ComposerMinimumStabilityValidator.php b/package_manager/src/Validator/ComposerMinimumStabilityValidator.php
index 28efe36294..13ed4a84a3 100644
--- a/package_manager/src/Validator/ComposerMinimumStabilityValidator.php
+++ b/package_manager/src/Validator/ComposerMinimumStabilityValidator.php
@@ -44,7 +44,7 @@ final class ComposerMinimumStabilityValidator implements EventSubscriberInterfac
   public function validate(PreRequireEvent $event): void {
     $dir = $this->pathLocator->getProjectRoot();
     $minimum_stability = $this->inspector->getConfig('minimum-stability', $dir);
-    $requested_packages = $event->getRuntimePackages();
+    $requested_packages = array_merge($event->getDevPackages(), $event->getRuntimePackages());
 
     foreach ($requested_packages as $package_name => $version) {
       // In the root composer.json, a stability flag can also be specified. They
diff --git a/package_manager/tests/src/Kernel/ComposerMinimumStabilityValidatorTest.php b/package_manager/tests/src/Kernel/ComposerMinimumStabilityValidatorTest.php
index f3ff2e8ce6..ea73f7c32a 100644
--- a/package_manager/tests/src/Kernel/ComposerMinimumStabilityValidatorTest.php
+++ b/package_manager/tests/src/Kernel/ComposerMinimumStabilityValidatorTest.php
@@ -33,9 +33,22 @@ class ComposerMinimumStabilityValidatorTest extends PackageManagerKernelTestBase
     $stage->destroy();
 
     // Specifying a stability flag bypasses this check.
-    $stage1 = $this->createStage();
-    $stage1->create();
-    $stage1->require(['drupal/core:9.8.1-beta1@dev']);
+    $stage->create();
+    $stage->require(['drupal/core:9.8.1-beta1@dev']);
+    $stage->destroy();
+
+    // Dev packages are also checked.
+    $stage->create();
+    $result = ValidationResult::createError([
+      t("<code>drupal/core-dev</code>'s requested version 9.8.x-dev is less stable (dev) than the minimum stability (stable) required in <PROJECT_ROOT>/composer.json."),
+    ]);
+    try {
+      $stage->require([], ['drupal/core-dev:9.8.x-dev']);
+      $this->fail('Able to require a package even though it did not meet minimum stability.');
+    }
+    catch (StageEventException $exception) {
+      $this->assertValidationResultsEqual([$result], $exception->event->getResults());
+    }
   }
 
 }
-- 
GitLab