I am hosting my own Satis repository via GitLab pages.
For some reason however, it keeps on erroring with The checksum verification of the file failed when composer tries to install one of the repositories.
Its happening on and off for a few weeks now, and I can't work out why its happening or how to debug it.
Here is my satis.json:
{
"name": "Composer Repository",
"homepage": "<snip>",
"repositories": [
{"type": "vcs", "url": "<snip>"},
{"type": "vcs", "url": "<snip>"}
],
"require-all": true,
"require-dependencies": true,
"archive": {
"directory": "dist",
"format": "zip",
"skip-dev": true,
"checksum": false
}
}
I added checksum: false a week ago which seemed to fix the issue, but now it has just arrived again.
I've tried clearing caches and nothing is working. Any ideas?
Related
I am trying to set up Composer to work without internet access. I have set up a server in the local network with a Satis configured repository with the following configuration file:
{
"name": "private/composer",
"homepage": "http://<some_ip>:9500",
"repositories": [
{"type": "composer", "url": "https://packagist.org"}
],
"require-dependencies": true,
"require": { ... },
"archive": {
"directory": "offline",
"format": "zip"
},
"config": {
"preferred-install": "dist"
}
}
After running
$ ./satis/bin/satis build ./satis.json ./mirror
Everything works, I get my ./satis/mirror/offline directory filled up with .zip files of the packages I am mirroring from packagist.org.
In my Composer, project, I added the following sections to the composer.json configuration:
{
"repositories": [{
"type": "composer",
"url": "http://<some_ip>:9500"
}],
"config": {
"secure-http": false
},
...
}
I tried to run composer install then and I get an error about Composer not begin able to access https://packagist.org/packages.json. Why is it trying to do that? How can I make this process work without internet access?
Thank you!
By default Composer does not disable access to packagist.org when you add custom repos. You can disable it with the following config:
{
"repositories": [
{
"packagist.org": false
}
]
}
I'd like to fetch the composer.lock (& .json) from a project, and run some test to see if there is outdated packages in it.
the composer outdated seems to require me to install all packages first,
but that seams a bit overkill, as all needed information should be in the composer.lock-file.
Is there information avaible after an install, thats not avaible from the lock-file?
Is it posible to find outdated packages without running the composer install?
Update 1
I take "foolz/sphinxql-query-builder" as an exemple from one project.
In composer.json there is a
require['foolz/sphinxql-query-builder'] = '^1.0'.
In composer.lock there is a
packages[] = {name: foolz/sphinxql-query-builder, version: '1.0.2', ...}
In ~/.cache/composer/repo/https---packagist.org/p-provider-2018-04.json there is a providers['foolz/sphinxql-query-builder']->sha256
In ~/.cache/composer/repo/https---packagist.org/provider-foolz\$sphinxql-query-builder.json there is a
packages['foolz/sphinxql-query-builder']->$version
From that file i can run
array_keys((array) $json->packages->{'foolz/sphinxql-query-builder'})
to get a list of availible versions.
So how do i fetch the latest 'provider-foolz\$sphinxql-query-builder.json' file?
Composer.lock defines the exact versions of your packages, so only with this file you are not able to define if it is possible to upgrade the package to a new tag version
For example,
In composer.json you have this version of package
"laravelium/sitemap": "^3.0",
In composer lock there exists this information
{
"name": "laravelium/sitemap",
"version": "v3.0.1",
"source": {
"type": "git",
"url": "https://gitlab.com/Laravelium/Sitemap.git",
"reference": "b287ec4a6b47dcd63fd121199c05e059c479bc6f"
},
"dist": {
"type": "zip",
"url": "https://gitlab.com/api/v4/projects/Laravelium%2FSitemap/repository/archive.zip?sha=b287ec4a6b47dcd63fd121199c05e059c479bc6f",
"reference": "b287ec4a6b47dcd63fd121199c05e059c479bc6f",
"shasum": ""
},
"require": {
"illuminate/support": "5.7.*",
"php": ">=7.1.3"
},
"require-dev": {
"orchestra/testbench": "3.7.*",
"phpunit/phpunit": "~7.0"
},
"type": "library",
"extra": {
"laravel": {
"providers": [
"Laravelium\\Sitemap\\SitemapServiceProvider"
]
}
},
"autoload": {
"psr-0": {
"Laravelium\\Sitemap": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Roumen Damianoff",
"email": "roumen#damianoff.com",
"homepage": "https://damianoff.com",
"role": "Developer"
}
],
"description": "Laravelium Sitemap package for Laravel.",
"homepage": "https://laravelium.com",
"keywords": [
"Sitemap",
"generator",
"google-news",
"html",
"laravel",
"laravelium",
"php",
"xml"
],
"time": "2018-09-04T19:08:44+00:00"
},
Note, that you will install version v3.{\d+} (>=3 && <4) if it exists, and new tag version may have incompatible change
composer show -l returns the list of packages. Coloured red packages can be updated, and colored green are on the latest version.
Nevertheless, you steel need to proceed with composer install, because only this way you can understand the exact versions of installed packages
We've started to use Satis for a private composer repository.
All is going well - except something which we cannot figure out.
--
When we run the satis build - it generates the json and the zips to download.
Our config resembles something like
{
"name": "Premium Repositories",
"homepage": "https://some-website.com",
"require-all": false,
"repositories": [
{
"type": "vcs",
"url": "git#bitbucket.org:our-repo.git"
}
],
"archive": {
"directory": "dist"
}
}
The json it then generates contains something like
"some/package": {
"dev-master": {
"name": "some/package",
"version": "dev-master",
"version_normalized": "9999999-dev",
"source": {
"type": "git",
"url": "git#bitbucket.org:selesti/some-package.git",
"reference": "db0abb6a6983738d768b64684f82d178059b85b4"
},
"dist": {
"type": "zip",
"url": "https://some-domain/dist/some/package/some-package-dev-master-ec67bc.zip",
"reference": "db0abb6a6983738d768b64684f82d178059b85b4",
"shasum": "f04821a159f6f19ea6e5be8624d88f32b168e205"
},
"require": {
"magento/framework": ">=100.0.0",
"php": "~5.5.0|~5.6.0|>=7.0.0",
"some/core": ">=3.0.0"
},
"time": "2018-02-16T09:00:56+00:00",
"type": "magento2-module"
}
}
We can clearly see from this it contains both the zip and the source.
This seems to mean that when we run composer install it tries to install the source version first - which fails as it doesn't have read-access - then it falls back to the dist, which works.
Is this the natural behaviour of composer if there is a source field within the composer.lock ? - And if so, is it possible for satis to not generate the source object, so it automatically goes straight to the dist key?
Thanks
I'm not sure if you can exclude source repos from Satis output, but as an alternative, you can tell Composer to use dist repos by default with configuration similar to:
{
"config": {
"preferred-install": "dist"
}
}
You can also specify preferred-install config on package by package basis, as per docs:
{
"config": {
"preferred-install": {
"my-organization/stable-package": "dist",
"my-organization/*": "source",
"partner-organization/*": "auto",
"*": "dist"
}
}
}
I just put up a package on packagist and I tried to run a composer update and am getting the error:
Unknown downloader type: h. Available types: git, svn, hg, perforce, zip, rar, tar, gzip, phar, file.
In the main project file I have this:
"require": {
//.......
"cyphix333/sbb-code-parser": "dev-master"
},
The composer.json file for cyphix333/sbb-code-parser is:
{
"name": "cyphix333/sbb-code-parser",
"description": "SBBCodeParser is a simple BBCode parser",
"keywords": [
"SBBCodeParser"
],
"homepage": "https://github.com/samclarke/SBBCodeParser",
"canonical": "https://github.com/cyphix333/SBBCodeParser",
"source": "https://github.com/cyphix333/SBBCodeParser/tree/master",
"autoload": {
"classmap": ["SBBCodeParser.php","classes/"]
},
"authors": [
{
"name": "Sam Clarke"
}
],
"require": {
"php": ">=5.3"
}
}
I am not sure what I am doing wrong here?
If you just started getting this error, try composer clear-cache and/or delete ~/.composer and vendor.
The specific error I was getting was:
[InvalidArgumentException]
Unknown downloader type: . Available types: git, svn, fossil, hg, perforce, zip, rar, tar, gzip, xz, phar,
file, path.
I just deleted everything and then tried again; works now.
I'm using
Composer version 1.2.0 2016-07-19 01:28:52
I've solved this issue deleting the vendor directory.
rm -Rf vendor
And then running:
composer update
Changes to your composer.json: dropped canonical and source; added type library.
Give this one a try:
{
"name": "cyphix333/sbb-code-parser",
"description": "SBBCodeParser is a simple BBCode parser",
"homepage": "https://github.com/samclarke/SBBCodeParser",
"keywords": ["SBBCodeParser"],
"type": "library",
"authors": [
{
"name": "Sam Clarke"
}
],
"require": {
"php": ">=5.3"
},
"autoload": {
"classmap": ["SBBCodeParser.php", "classes/"]
}
}
I did resolve this error after updating the composer version.
The installation did not work with composer v2.
Passing to the v1 version works.
composer self-update --1
I encountered this issue too, we had a human error in our composer.json. The dist part of one of our custom repositories was entered with a faulty downloader type (as stated in the error message).
{
"type": "package",
"package": {
"name": "campaignmonitor/createsend-php",
"type": "drupal-library",
"version": "dev-master",
"dist": {
"url": "https://github.com/campaignmonitor/createsend-php.git",
"type": "drupal-library"
},
"source": {
"url": "https://github.com/campaignmonitor/createsend-php.git",
"type": "git",
"reference": "master"
}
}
}
Note that the dist's type is entered as drupal-library, that is the package type, not the downloader type. We corrected this by using the following for dist:
"dist": {
"url": "https://github.com/campaignmonitor/createsend-php/archive/master.zip",
"type": "zip"
},
As we developed this project we had no problems when running composer install locally. We encountered this error when making the project production ready, using --prefer-dist. Obviously, it will only then use dist over source and then encounter this error.
Disclaimer: This case is somewhat different then the original question, though it's highly relatable and this question came up on top when trying to search for the answer. I hope this is okay.
I've successfully set up Satis on my own server and am able to pull in packages from it.
However, dependencies that are required in those private packages are constantly being cloned at their bleeding edge version instead of the specified version constraint. I think that Satis is creating a local mirror of the latest dev-version. However I do not want to have a local mirror, I just need them to install directly from Packagist.
So how do I need to setup the project / package / Satis to have the dependencies in those private packages installed from Packagist?
Thanks.
This is my Satis build file:
{
"name": "Package Server",
"homepage": "http://packages.URL",
"repositories": [
{
"type": "vcs",
"url": "git#bitbucket.org:USERNAME/REPO.git",
"options": {
"ssh2": {
"username": "USERNAME",
"pubkey_file": "PUBFILE",
"privkey_file": "PRIVATEFILE"
}
}
}
],
"require-all": true
}
And this is the composer.json file of the project requiring the private package (package has no tagged releases):
{
"name": "Test Project",
"description": "",
"require": {
"php": ">=5.4.0",
"USERNAME/REPO": "*"
},
"repositories": [
{
"type": "composer",
"url": "http://packages.URL"
}
],
"minimum-stability": "dev"
}
And this is the private package's composer.json:
{
"name": "USERNAME/RPO",
"description": "",
"require": {
"php": ">=5.4.0",
"illuminate/support": "5.0.*",
"vinkla/hashids": "~1.0"
},
"minimum-stability": "dev"
}
In your Satis config you defined "require-all": true.
This is default and selects all versions of all packages in the repository you defined.
You could try to remove "require-all": true in favor of a require section.
This means that Satis will only contain these specific packages and their versions, like so:
"require": {
"company/packageA": "*",
"company/packageB": "1.2.3",
"company/packageC": "2.0.0"
}
It's package cherry picking on Satis
So if I understand correctly I need to add the private packages that are available in the specified private repository in the require key and their own dependencies will then install from Packagist?
Add require-dependencies - this tells Satis to mirror not only the packages specified in the "require" section, but also all their dependencies.
See https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#resolving-dependencies
Is it possible to have multiple packages resided in one defined repository or does every single package need their own repository url entry in Satis?
I think it's not possible to have multiple packages in one "type": "vcs" repository.
With "type": "composer" and a cloned packagist you can store multiple repos.
Think of http://drupal-composer.org with http://packagist.drupal-composer.org/.
{
"repositories": [
{ "type": "vcs", "url": "https://github.com/somewhere/packageA" },
{ "type": "composer", "url": "https://packagist.org" }
],
"require": {
"package/packageA": "somewhere-dev",
"phpunit/phpunit": "*"
},
"require-dependencies": true
}