Skip to content

feat: integrate composer-dependency-analyser for dependency analysis #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

feat: integrate composer-dependency-analyser for dependency analysis #146

wants to merge 3 commits into from

Conversation

mairo744
Copy link

@mairo744 mairo744 commented Oct 9, 2025

Q A
Documentation no
Bugfix no
BC Break no
New Feature no
RFC no
QA yes

Description

This PR introduces shipmonk/composer-dependency-analyser to improve dependency management.

  • To detect dead/misplaced/shadow dependencies
  • To enforce stricter dependency hygiene in CI, preventing similar issues in the future.

@mairo744 mairo744 force-pushed the refactor/dep-analysis branch from 6b5c4e9 to 08c5b98 Compare October 9, 2025 19:40
gsteel
gsteel requested changes Oct 9, 2025
View reviewed changes
@mairo744 mairo744 requested a review from gsteel October 11, 2025 14:31
Xerkus
Xerkus reviewed Oct 12, 2025
View reviewed changes
@mairo744 mairo744 requested a review from Xerkus October 12, 2025 19:51
@Xerkus Xerkus added the Won't Fix This will not be worked on label Oct 12, 2025
@Xerkus
Copy link
Member

Xerkus commented Oct 12, 2025

I am going to decline this PR. This QA tool was not approved by TSC vote.

The one approved was maglnet/composer-require-checker. It is run in our CI container via matrix action job.

@mairo744
Copy link
Author

Thanks for your time and feedback.
I wasn’t able to find a documented TSC vote or official record explicitly approving maglnet/composer-require-checker over other tools. Are the results of such votes public? Is there a place where approved tools for Laminas are listed?

Would it be possible for me to propose shipmonk/composer-dependency-analyser for a TSC vote? It can also detect dead and misplaced dependencies, which could add extra value.
image

@Xerkus
Copy link
Member

Xerkus commented Oct 13, 2025

Hm. I was pretty confident we had QA tools on our agenda but minutes have no mention of it. We might have resorted to a discussion without a topic on the agenda or vote.

composer-require-checker was introduced here but we did not adopt it widely since it causes quite a bit of grief with dependencies.
laminas/laminas-ci-matrix-action#50

Consistency with the tooling usage is very important because it is guaranteed we will have issues and having to deal with different sets of issues in different repositories strains the limited maintenance capacity. For example some repos use prophecy and some others use mockery and it noticeably hampers the ability to upgrade dependencies there right now as the push for php 8.5 happens.

Proper flow for QA tooling is to prepare example for the tool setup and usage. Propose it at a TSC meeting. After discussion once we got the TSC decision it needs to be consistently rolled out across both organizations.

You would need to put this on the agenda for the next TSC meeting https://github.com/laminas/technical-steering-committee/blob/main/meetings/agenda.md

We should postpone this and also consider adopting a separate install method for tools that does not put them in require or require-dev.
@gsteel tried out alternate setup in the component he maintains and it seems to be working so far.

@Xerkus Xerkus mentioned this pull request Oct 13, 2025
Closed
@mairo744
Copy link
Author

Thanks for the clarification and additional context. I understand the process now.
I think this PR can be closed for now and we can revisit the idea later with a proper proposal — or alternatively, just detecting only shadow dependencies via maglnet/composer-require-checker

@mairo744 mairo744 closed this Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gsteel gsteel Awaiting requested review from gsteel

@Xerkus Xerkus Awaiting requested review from Xerkus

Assignees

No one assigned

Labels

Won't Fix This will not be worked on

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mairo744 @Xerkus @gsteel @mmalac