Question 417837 in PHP Question posted in
Official manual can be found here.

Php – How do I resolve deleted Packagist package that was a dependency of a dependency?

Our PHP application has a Packagist dependency aaa/foo defined in our composer.json file.

This package has a dependency of a deleted Packagist package, let’s call it: bbb/bar.

This is breaking our composer install.

I have a copy of the deleted package (bbb/bar) from an old install. What is the easiest way to resolve this given aaa/foo has not been updated?

I’m hoping there’s a way I can copy the source of the missing package to a directory in a lib directory of the codebase and map it in composer.json… but I don’t think aaa/foo would recognize that override.

Tags:

3

Answers


  1. 0

    If you have the deleted bbb/bar package, place it in a local folder.

    In the composer.json file of the downloaded and locally placed bbb/bar package, set the required version number:

    {
    "name": "bbb/bar",
    "description": "...",
    "type": "library",
    "version": "1.2.3", // Here
}

    Then, in the project where you are using aaa/foo, reference your local package so that it can be installed as a "dependency":

    "repositories": [
    {
        "type": "path",
        "url": "./lib/bbb-bar"
    }
],
"require": {
    "aaa/foo": "^1.0",
    "bbb/bar": "1.2.3"
}
    Login or Signup to reply.
  2. 0

    I would try the following:

    • put the code from bbb/bar into any local lib folder in your application
    • add the proper autoloader to your application’s composer.json such that the code from the package is found when it needs to be imported
    • add bbb/bar to the replace section of your composer.json

    It might be neccessary to call composer update bbb/bar once such that the package is removed from the lock file

    Login or Signup to reply.
  3. 0

    The manual for composer.json has a description of the "replace" section:

    Map of packages that are replaced by this package. This allows you to fork a package, publish it under a different name with its own version numbers, while packages requiring the original package continue to work with your fork because it replaces the original package.

    You can use this to replace a third-party package in two different ways:

    1. You can create a fork of the package, with a new name, and list it as "replacing" the original. e.g. if the original was acme/frobulator, you might create coder1/frobulator and list "replace": {"acme/frobulator": "self.version"}.
      • You can either make your fork public on https://packagist.org as a service to other users who have the same problem, or use a private repository in your main application’s composer.json.
      • Either way, you would then list "coder1/frobulator" in your normal "require" section, and Composer would know it meets the requirements of other packages which ask for "acme/frobulator" at the same version
    2. If you’re just using it in this one application, you could copy the code to somewhere in your own repository, and
      • mark the application itself as the replacement for a specific version, e.g. "replace": {"acme/frobulator": "1.42.0"}
      • tell composer where to autoload it, e.g. "psr-4": {"AcmeFrobulator": "third-party/acme/frobulator/src"}

    Import Note: You should make an effort to check that you have the legal ability to use or host the missing package. It’s possible that the licence it was distributed under limits how you can use or distribute your fork.

    It’s also possible that it was removed because it was in breach of somebody else’s copyright or other rights; if so, the licence it was distributed under is invalid (put crudely: if they stole it, it was never up to them whether you could use it).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search