| 19 May 2023 |
 Jan Tojnar | I guess we could do it like napalm does and run http server | 20:33:38 |
 Pol | I have no clue on those things | 20:33:55 |
| Jan Tojnar | Pol: regarding the composer packaging it looks like composer update --lock will require even developer dependencies to be in the repo | 21:19:31 |
| Jan Tojnar | which makes sense, --no-dev should not produce partial lockfile | 21:19:58 |
| Pol | Mmh mmh | 21:20:27 |
| Jan Tojnar | so we cannot support includeDev in the fetchComposerDeps function | 21:20:35 |
| Jan Tojnar | and need to optimize the fetcher instead | 21:20:44 |
| Pol | But we can do `composer update --lock --no-dev` | 21:20:52 |
| Jan Tojnar | we can, but it will still look for dev dependencies so that it can lock them | 21:21:18 |
| Jan Tojnar | it just will not install them | 21:21:31 |
| Jan Tojnar | * it just will skip installing them | 21:21:44 |
| Pol | Right, so, we have to parse lock files and intersect with composer.json.require then ? | 21:22:21 |
| Jan Tojnar | we could have the setup hook patch the sources inside the lockfile, instead of running composer update --lock | 21:23:38 |
| Jan Tojnar | and rely on the fact that the dev dependencies will not be installed with --no-dev so it would not matter that the path would be non-existent | 21:24:19 |
| Jan Tojnar | or we could just optimize the fetcher so that downloading dev dependencies is not pain | 21:25:00 |
| Pol | I prefer to optimize the fetcher | 21:25:21 |
| Pol | Maybe we can just skip the package if the package is not in require section. | 21:27:53 |
| Jan Tojnar | actually, maybe just using the dists would be fine for you, then | 21:27:54 |
| Pol | What do you mean? | 21:28:06 |
| Pol | How about making the changes in the composer plugin ? | 21:28:23 |
| Pol | Just added you as a maintainer | 21:29:25 |
| Pol | Feel free to hack into it | 21:29:47 |
 tgerbet | In reply to @drupol:matrix.org
Maybe we can just skip the package if the package is not in require section. Not exactly because you need to know the whole tree to determine if a transitive dep is needed for a prod dependency or not | 21:30:12 |
| Pol | I'm now going to bed, I've worked in my house the whole day, the baseboards are almost done, I need to get some sleep | 21:30:25 |
| Pol | In reply to @tgerbet:matrix.org
Not exactly because you need to know the whole tree to determine if a transitive dep is needed for a prod dependency or not Indeed, I should have removed my answer, I wrote too quickly. | 21:30:48 |
| Jan Tojnar | I think I might have only used source in composition-c4 because I though that builtins.fetchGit does not require output hash but it does currently | 21:31:08 |
| tgerbet | In reply to @jtojnar:matrix.org
or we could just optimize the fetcher so that downloading dev dependencies is not pain For production env you do not want the dev deps. Some might do things that are fine in dev but sketchy for production if you have a mistake in your configuration. | 21:36:26 |
| tgerbet | The famous eval-stdin.php from PHPUnit comes to mind | 21:36:47 |
| tgerbet | * The famous eval-stdin.php from PHPUnit comes to my mind | 21:36:55 |
| Pol | yeah... true. | 21:37:42 |
