Installer composer.json files shouldn't have very strict constraints

[jonom]

I feel like I must have missed something obvious here, so please delete if I did. But if I do composer create-project silverstripe/installer ./mySite.localhost ^4 I get a composer file with a line like:

    "require": {
       ...
        "silverstripe/recipe-cms": "4.3.3@stable",
       ...
    },

Which seems to lock my installation to SilverStripe 4.3.3 and prevent me from getting patches when I do composer update.

Discovered this because I had a project with "silverstripe/recipe-cms": "4.3.2@stable" today. I had to change it to "silverstripe/recipe-cms": "^4.3" to get composer update to bring me to v4.3.3.

If I'm not mistaken this seems like a major issue as developers will not get security patches for the core SS modules unless they edit their composer.json file.

[ScopeyNZ]

Hey thanks for the report @jonom . I've moved the issue to our release tool that takes care of tagging these versions. Right now it works like this on purpose but I think you make a valid point that installers should probably specify looser constraints.

[robbieaverill]

The reason it's like this is so that you get exactly the version we know we've tested and released when you install SilverStripe. There are other reasons for this as well, including that these versions have often been security tested in the specific configuration. I think there's possibly some scope to make it looser in parts of the recipes, though.

cc @silverstripe/core-team

[sminnee]

Yeah I think that the requirements of the recipe’s composer.json being strict make sense, but not the installer. I think that all of Robbie’s arguments apply to the recipe.

[sminnee]

Flagging as a high impact bug as this discourages people from installing security fixes.

[maxime-rainville]

I agree with making the installer constraint looser, so people can upgrade more easily.