| Age | Commit message (Collapse) | Author |
|---|
|
Replace the dist-hash tree-diff implementation with Composer's VCS-level
status flow: three buckets (errors / unpushed_changes / vcs_version_changes)
populated via ChangeReportInterface / DvcsDownloaderInterface /
VcsCapableDownloaderInterface, and a bitfield exit code (1|2|4) instead
of always 1.
Supporting work:
- mozart-semver: add normalize_branch (VersionParser::normalizeBranch).
- mozart-vcs: extend VcsDownloader trait with unpushed_changes /
vcs_reference; port GitDownloader::getUnpushedChanges (HEAD-ref
discovery + git diff --name-status remote...branch + two-pass fetch);
fix git status invocation to use --untracked-files=no (Composer parity);
add hasMetadataRepository preconditions to git/hg/svn local_changes;
port VersionGuesser (git/hg/svn dispatch — Fossil omitted, feature
branch detection runs sequentially instead of via async promises).
- mozart-core: extend LocalPackage with pretty_version, package_type,
installation_source, source, dist, extra; add InstallationSource and
PackageReference. factory.rs reads them from installed.json.
- mozart-registry: new download_manager mirroring
DownloadManager::getDownloaderForPackage.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Mirror Composer's two-pass pipeline: load default-branch metadata from
remote repos first, then fall back to installed.json funding only for
packages whose default branch had nothing. Also fix the prev-line
dedup (was reset inside the inner loop), emit OSC 8 hyperlinks for
URLs, route format errors through console.error + bail_silent with
Composer's wording, and emit `[]` for empty JSON output to match
PHP's json_encode of an empty array. Drop the lockfile-preferred
heuristic — Composer reads only installed.json via the local
repository.
|
|
Replace the HTTP-only post-filtered implementation with a Repository::search
trait dispatch that mirrors ComposerRepository::search semantics for all
three modes (FULLTEXT/NAME/VENDOR). --only-name now does an OR-of-tokens
regex match against the full Packagist list.json index instead of a
substring match against a fulltext page, so e.g. \`mozart search --only-name
mono log\` matches \`monolog/monolog\` like Composer does. Other parity
fixes: regex::escape on non-fulltext queries, format check before mutex
check, 4-space JSON indent, OSC 8 terminal hyperlink emission when a
result has a url, <warning>\! Abandoned \!</warning> styling on abandoned
rows, and the Mozart-only "No packages found" warning is dropped to match
Composer's silent empty-result behavior.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Replace the hand-rolled composer.json -> composer.lock -> Packagist
fallback with a BrowseRepos composite that dispatches via a uniform
find_packages(name) over the root package, the local installed
repository, and the Packagist remote -- matching HomeCommand's
initializeRepos() + findPackages() loop.
- Extend InstalledPackageEntry with homepage/support so the local repo
carries the same fields HomeCommand reads off
CompletePackageInterface; propagate them through
locked_to_installed_entry.
- Collapse three extract_url_from_* helpers into a single
handle_package mirror.
- Relax is_valid_url to a filter_var(FILTER_VALIDATE_URL) analog (drop
the http/https scheme allowlist).
- Route warnings and "No package specified" notices to stderr; match
HomeCommand's exact wording.
- Merge the macOS/Linux open_browser branches; add the literal "web"
window-title argument on Windows.
|
|
Move source acquisition (root or remote dist download/extract),
composer.json archive metadata reading, filename generation, self-
exclusion, filter aggregation, and archive creation from the archive
command into a new ArchiveManager in mozart-archiver, mirroring
Composer's ArchiveCommand <-> ArchiveManager split. The command becomes
a thin wrapper that selects the package and delegates archiving.
Adds a one-way mozart-archiver -> mozart-registry dep since
ArchiveManager::archive() handles dist downloading internally (the
analog of Composer's injected DownloadManager).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
archive and diagnose were not honoring $COMPOSER_HOME/config.json
because they bypassed Factory::createConfig() — archive used literal
"tar"/"." defaults when no composer.json was present, and diagnose
reimplemented cache-dir resolution from environment variables.
Mirror Composer's tryComposer + Factory::createConfig() fallback so
global config (archive-format, archive-dir, cache-dir) applies in both
commands.
|
|
|
|
The StatusArgs struct redefined `verbose` as bool while Cli defines a
global `verbose: u8` with ArgAction::Count. clap's runtime type check
panicked on access. Drop the local field and rely on cli.verbose, which
matches Composer's StatusCommand treating -v|-vv|-vvv as a single flag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Add the Composer state-container types (LocalRepository,
RepositoryManager, InstallationManager, AutoloadGenerator,
AutoloadDumpOptions, PlatformRequirementFilter, Locker) plus the
factory wiring that builds them from composer.json and
vendor/composer/installed.json.
AutoloadGenerator::dump lives in mozart-autoload as an extension
trait so the orchestrating algorithm sits next to the classmap
scanner while the state container stays in mozart-core. Rework
dump-autoload to drive both, mirroring
$composer->getAutoloadGenerator()->dump(...).
|
|
Composer's ClearCacheCommand uses $io->writeError() for the per-cache
status lines and the final summary; Mozart was writing them to stdout
via console.info(). Switch to console_writeln_error\! so the output
stream matches Composer.
|
|
console_format!
The six tag-style color functions (info, comment, error, question,
highlight, warning) are pub only so that console_format! can call them
from generated code; they are not part of the public API. Rename them
to __format_*_message to make that intent visible, add a doc-comment
saying not to call them directly, and replace every remaining direct
call site with console_format!.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
|
|
--no-cache redirects COMPOSER_CACHE_DIR to /dev/null (mirrors Application::doRun).
cache_files_maxsize is now u64 with a "300MiB"-style string deserializer.
Cache::new() takes readonly instead of enabled; is_usable() detects null devices.
|
|
Adds crates/mozart-core/src/factory.rs with get_cache_dir(),
get_data_dir(), and create_config() — a Rust port of
Composer\Factory::createConfig() (auth loading and htaccess creation
are out of scope for now).
Also fixes a correctness bug on Linux: the previous Config::default()
resolved cache-dir to $XDG_CONFIG_HOME/composer/cache via the
{$home}/cache placeholder, whereas Composer uses the XDG cache base
($XDG_CACHE_HOME or ~/.cache), giving ~/.cache/composer.
Callers updated:
- Composer::load() uses create_config() as the global baseline before
merging project-level config.
- config command execute_read() builds the global baseline with
create_config() and overlays local config on top when not --global,
matching Composer's actual layering order.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
Config uses serde with kebab-case field mapping; known properties are
strongly-typed fields and unknown keys flow into an extra BTreeMap.
resolve_references is moved to the new config module.
|
|
|
|
Mirror Composer's DumpAutoloadCommand by scanning the local repository
for packages whose install path is absent on disk, emitting the same
"Not all dependencies are installed" warning, and returning exit code 1
when any are missing. Also reorders the surrounding flow to follow
Composer's command sequence.
|
|
|
|
Introduce mozart_core::composer::Composer with require()/try_load()
constructors and a config() accessor, modelled on PHP Composer's
BaseCommand::requireComposer / tryComposer. ComposerConfig and
composer_home move into mozart-core so Composer::load can resolve
placeholders consistently.
Migrate dump-autoload, archive, exec and run-script away from ad-hoc
composer.json reads. exec and run-script now fail when composer.json
is missing instead of silently falling back to "vendor/bin",
matching the upstream requireComposer contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
|
|
Previously each VCS mirror was keyed by sha1(url), which made
cache directories opaque and incompatible with Composer's layout.
Composer's GitDriver and GitDownloader both use the form
Preg::replace('{[^a-z0-9.]}i', '-', Url::sanitize(\$url)), so a
Mozart user migrating from Composer (or vice versa) could not
share an existing cache.
Reimplement GitUtil::sanitize_url to follow that pattern: redact
credentials and access tokens (Url::sanitize semantics, including
the GitHub token regex), then replace every byte outside [a-zA-Z0-9.]
with '-'. The credential redaction also collapses URLs that differ
only in their access_token to the same key.
|
|
DriverConfig used to expose a generic cache_dir hardcoded to a
relative ".cache/mozart/vcs", with each driver appending its own
"git"/"hg" subdir. As a result, the cache-vcs-dir setting (and
COMPOSER_CACHE_VCS_DIR env var) had no effect on where mirrors
were actually stored.
Replace cache_dir with cache_vcs_dir, resolving its default the
same way Composer does (COMPOSER_CACHE_VCS_DIR → COMPOSER_CACHE_DIR/vcs
→ XDG/HOME fallbacks), and have GitDriver/HgDriver use it directly.
This brings the Mozart cache layout in line with Composer's: a single
shared vcs root with one subdirectory per sanitized URL.
|
|
Composer's clear-cache deletes cache-vcs-dir alongside repo/files
caches, and GCs it via gcVcsCache (TTL-based, top-level subdir
deletion, no size cap). Mozart was silently leaving VCS mirrors
on disk forever — every clear-cache run grew the cache monotonically.
Add cache_vcs_dir to CacheConfig (default {cache-dir}/vcs, env
override COMPOSER_CACHE_VCS_DIR), wire it into clear-cache, and
add Cache::gc_vcs mirroring Composer's gcVcsCache semantics.
|
|
Mirror composer's BaseDependencyCommand::doExecute by collapsing the
duplicated working-dir/load/lookup/print pipeline in depends.rs and
prohibits.rs into a single dependency::do_execute helper driven by an
`inverted` flag. The clap arg structs stay in their per-command modules
and just forward to the shared entry point.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
|
|
Composer anchors its license expression regex with `^...$`, but Mozart's
parser tokenizer silently skipped edge whitespace, accepting inputs like
" MIT" or "MIT\t". Mirror Composer by rejecting edge whitespace before
parsing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
|
|
Mirror Composer's Command\ShowCommand::printLicenses(): emit one line
per license identifier, expanded to "<full name> (<id>) [(OSI
approved)] <url>" when the id is in the SPDX database, or just the id
otherwise. The URL is built by mozart-spdx-licenses' new
LicenseInfo::url() so the construction lives in the SPDX crate, like
Composer's SpdxLicenses::getLicenseByIdentifier().
|
|
Mirror Composer's Package\Loader\ValidatingArrayLoader::load() license
block: warn on non-string/wrong-shape values, validate the SPDX
expression with proprietary→MIT substitution, and surface "extra
spaces" diagnostics. Validity is gated on the manifest's `time` field
(checked only for releases without a date or within the last 8 days),
mirroring Composer's strtotime('-8days') window.
|
|
Mirror Composer's Util\ConfigValidator::validate() license handling:
treat empty string and empty array as missing, accept array form, and
emit deprecation warnings (with GPL-specific -only/-or-later
suggestions) for identifiers flagged deprecated in the SPDX database.
|
|
Composer's config.cafile/config.capath were accepted by the config
command but ignored by every HTTP request. Centralize reqwest client
construction in mozart_core::http, pre-load the configured CA bundle
at startup, and route every callsite (registry, vcs drivers, diagnose,
self-update) through the shared builder so user-supplied roots are
actually used during HTTPS verification.
|
|
|
|
Port the 31 .test fixtures under
composer/tests/Composer/Test/DependencyResolver/Fixtures/poolbuilder/
as #[ignore]'d cases in mozart-registry/tests/poolbuilder.rs. Each
fixture is parsed eagerly so format-level regressions surface
immediately, while the runner itself is unimplemented\!() — removing
#[ignore] from a case will force the missing pool-build entry point
into existence rather than silently mis-run. Generalize
mozart-test-harness's split_sections to take a per-format valid-section
list and add a poolbuilder parser alongside the installer one.
|
|
ArrayDumper emits `default-branch: true` into the lock for any package
that came from a default branch, and ArrayLoader reads it back to
synthesize the `9999999-dev` alias inside Locker::getLockedRepository.
Mozart was dropping the flag in two places: packagist_version_to_locked_package
ignored pv.default_branch when building the lock entry, and
locked_package_to_packagist_version hardcoded default_branch=false when
re-hydrating a lock-pinned package's metadata for partial updates. The
result was that a non-allow-listed default-branch dev package (e.g. f/f
in update-changes-url) ended up in the new lock without the marker, so
collect_stale_installed_aliases thought its `9999999-dev` alias had
been retired and emitted a spurious MarkAliasUninstalled trace.
|
|
Composer's Locker::getLockedRepository runs each locked package through
ArrayLoader::load, which materializes any extra.branch-alias as a
separate AliasPackage in the locked repository. Mozart was only adding
the base locked package to the pool, so a `dev-master` locked entry
with branch alias `2.2.x-dev` was invisible to numeric root constraints
like `~2.1` on a partial update — the resolver bailed with "no matching
package found" even though Composer accepts the same lock. Surface
each branch-alias as a sibling pool entry pointing at the base via
is_alias_of.
|
|
Composer's VersionParser::normalize maps `master`/`trunk`/`default`
(with or without `dev-` prefix) to `dev-NAME`, not `9999999-dev`. Mozart
was emitting the four-segment 9999999 form for these atoms in
normalize_root_alias_atom, so a root require like `dev-master as 1.1.0`
recorded its target as `9999999.9999999.9999999.9999999-dev` and never
matched the pool's `dev-master` entry — the alias was silently dropped
and transitive `^1.1` requires couldn't see the materialized 1.1.0 alias.
|
|
Partial update of a non-allow-listed dev package now resolves and emits
the locked-repo entry verbatim, mirroring Composer's `PoolBuilder`.
Three coordinated changes:
- resolver: `lock_filter_allows` accepts the locked package's branch-
alias normalized versions, not just the base. Without this, root
constraints like `~2.1` against a `dev-master` locked package whose
branch alias is `2.1.x-dev` failed with "no matching package found".
- lockfile: new `lock_pinned_names` field on `LockFileGenerationRequest`
routes non-allow-listed packages through `previous_lock_lookup`
before `inline_lookup`, so the lock's source/dist references survive
even when the inline metadata has moved to a newer commit.
- update: `apply_partial_update` skips alias entries — re-pinning their
pretty `version` to the base would collapse the alias label and
emit a self-referential entry in the new lock's `aliases[]` block.
Unblocks partial_update_forces_dev_reference_from_lock_for_non_updated_packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Three Composer-compat bugs surfaced by the github_issues_9290 fixture,
fixed together since they form one resolution path:
- RawPackageData.repositories now accepts a JSON object keyed by name,
matching RepositoryFactory::createRepos which iterates either int-
or string-keyed arrays via PHP foreach.
- Version::parse fills every unspecified position of a `.x-dev` branch
with 9999999, mirroring VersionParser::normalizeBranch. Previously
`2.x-dev` parsed to 2.0.9999999.9999999-dev and failed to satisfy
^2.8.
- is_platform_package limits the `php-` family to the closed set
{64bit,ipv6,zts,debug} per PLATFORM_PACKAGE_REGEX. Vendor packages
like `php-http/client-common` are no longer misclassified.
Unblocks github_issues_7051, _8903, _9012, _9290.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Mirror Composer's `AliasPackage::replaceSelfVersionDependencies`: a base
package's `replace` / `provide` / `conflict` link whose constraint
matches the base's own version (the resolved form of `self.version`) is
duplicated on the alias at the alias's version. A root require like
`a/aliased: dev-next as 4.1.0-RC2` paired with `replace: { foo:
self.version }` previously left the alias with a `dev-next` constraint,
so a transitive `foo ^4.0` requirement saw no numeric provider and the
solver bailed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Drop the content-hash-only short-circuit for `--lock` and route the
flag through the same updateMirrors flow Composer uses
(`UpdateCommand::execute` line 219). Locked packages are pinned at
their lock versions, but the resolver still runs and the installer
still emits the operation trace — including MarkAliasInstalled lines
for aliases the lock declares but installed.json hasn't recorded yet.
Three follow-on fixes the new flow needs:
- Re-attach `<lock-version> as <alias>` from `lock.aliases` when
building the mirrors-mode require list, so the resolver's alias
extractor materializes the alias entry. The bare `<version>` form
is required because `==<version>` fails Composer's normalize.
- Don't `continue` past Action::Skip in the install loop. Composer's
Transaction::calculateOperations emits MarkAliasInstalled even when
the target package is already at the right version, as long as the
alias is missing from installed.json.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
A path repo locked with `transport-options.symlink: false` is in
copy-mode and Composer's PoolBuilder keeps that entry pinned at its
lock version on a partial update. The previous unconditional skip
treated every path-repo dist as "always reload from disk", which
caused non-allow-listed copy-mode packages to drift.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Mirror Composer's RootPackageLoader::extractAliases regex so root
requires like `1.*||dev-feature-foo as 1.0.2||^2` and
`dev-feature-foo, dev-feature-foo as 1.0.2` get every `<X> as <Y>`
clause stripped in place and recorded as a separate root alias entry.
The previous single-atom strip left the alias inline, where the parser
then took the RIGHT side per atom and never matched the actual
dev-branch package.
Also fix split_and so a comma-separated AND group like
`dev-foo, dev-bar` splits into two atoms. The space-only operator-glue
heuristic was collapsing it into a single atom because neither half
starts with an operator or digit. Splitting on commas first preserves
the unambiguous separator while keeping `>= 1.0.0` glued within each
comma-part.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Mirror Composer's PoolBuilder::markPackageNameForLoading: when the root
requires a name with a version constraint, loads of that name (seed and
transitive) are filtered down to candidates whose own version (or any
emitted branch-alias version) satisfies the constraint. Without this,
the actual package at a non-matching version slips into the pool
alongside a provider satisfying the root require, masking what should
be a conflict (provider-gets-picked-together-with-other-version-of-
provided-conflict.test).
Also restore the Composer v1 compat path in inline_package: when the
JSON sets version_normalized to the legacy 9999999-dev sentinel,
re-normalize from the human-readable version field so a root require
for `dev-master` matches the loaded package.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Adds a `mozart-php-serialize` crate (a byte-compatible port of PHP's
`serialize()`) and a `mozart-registry::path_repository` module that
expands `type: path` entries into synthetic `type: package`
repositories. Each synthesized package carries the same SHA-1 dist
reference Composer computes (`sha1(\$json . serialize(\$options))`)
so the lockfile and trace lines match Composer byte-for-byte.
Two latent bugs surfaced once the path-repo flow exercised real
resolutions:
- `apply_partial_update` swapped path-repo packages back to their
locked version, defeating Composer's "path repos always reload"
rule (`PoolBuilder` treats them as canonical, not lock-bound).
Mirror the path-repo skip already used when constructing
`locked_packages`.
- `normalize_root_alias_atom` returned the raw input string for
stable numeric atoms (e.g. `1.1.1`), so the alias matcher's
`input.version \!= alias.version_normalized` check — comparing
against pool inputs that carry the 4-segment normalized form —
silently never matched. Run the parsed Version through Display so
both sides are in the same shape.
`install/update::run` gain a `path_repo_base_override: Option<&Path>`
parameter for the in-process test harness: Composer's PHPUnit
`InstallerTest::setUp` does `chdir(__DIR__)` so relative path-repo
URLs resolve against `composer/tests/Composer/Test/`, but the Rust
harness writes `composer.json` into a per-test tempdir and can't
chdir safely under parallel tests. Production callers pass `None`
and resolve against `working_dir`.
Greens 3 ignored installer fixtures:
partial_update_loads_root_aliases_for_path_repos
alias_in_lock
alias_in_lock2
|
|
Three related parity gaps surfaced by the `update-allow-list-patterns`
fixture:
1. `mozart-semver`'s wildcard parser turned `*.*` into `>=0 <1` (a
single-major range) because stripping the trailing `.*` left `*`
in the major slot, which `parse()` quietly read as `0`. Composer
reduces such patterns to a plain `*` (unconstrained) — match
that and short-circuit when the stripped base is `*`.
2. `expand_wildcards` passed any non-wildcard specifier straight
through, so a typo like `notexact/Test` (lock has
`notexact/testpackage`) entered the resolver as a real package
name and failed lookup. Mirror Composer's regex-based
`isUpdateAllowed`/`warnAboutNonMatchingUpdateAllowList`: every
specifier — wildcard or not — is matched against locked names
*and* current root-require names, with `*` expanded to `.*`,
and unmatched specs are warned and dropped instead of forwarded.
3. The lockfile generator's metadata loop hit the empty test repo
set when a partial update kept a non-allow-listed package at its
locked version that the inline repo no longer advertised, and
bailed with "Could not find version". Add a `previous_lock`
fallback that synthesizes a `PackagistVersion` straight off the
`LockedPackage` so the lock entry's own metadata stays
authoritative for packages that aren't moving.
|
|
Mozart silently ignored the `security-advisories` block on inline
`type: package` repositories and the `config.audit.block-insecure`
audit flag, so a `composer update` succeeded with packages a Composer
run would have refused to load. Mirror Composer's
`SecurityAdvisoryPoolFilter` for the slice that feeds the pool:
- Plumb a `security-advisories` field through `RawRepository` and a
`block_insecure` flag through `ResolveRequest`, lifted off
`composer.json`'s `config.audit.block-insecure`.
- Collect every advisory's `affectedVersions` constraint at resolve
time. When `block_insecure` is set and an inline package's
normalized version satisfies the constraint, drop it from the pool
before solving — root requires with no unaffected candidate then
fail with the standard "could not be resolved" error.
|
|
`update lock`, `update nothing`, and `update mirrors` were treated as
ordinary full updates: the resolver picked the highest matching
version of every root require and the install step rewrote refs from
the repository, masquerading transport metadata refreshes as content
changes (and accepting brand-new root requires the lock had never
seen). Mirror Composer's `setUpdateMirrors(true)` flow:
- Detect the bare-keyword form and skip composer.json's require /
require-dev entirely; require each locked package by exact version
instead. This drops fresh root requires Mozart shouldn't yet honor
and pins existing ones to their lock version.
- After lockfile generation, walk each new entry and copy the OLD
lock's source/dist reference back when the source/dist *type*
matches, mirroring `LockTransaction::updateMirrorAndUrls`. URL and
mirrors update; ref stays put — so a repo rename or mirror flip
emits no Update operation, but a real type change (`hg` → `git`)
still does.
|
|
Mozart's install verification didn't surface the slice of Composer's
SAT-verify failure where a locked package's `require` targets the
current root by name but the root's `version` no longer satisfies the
declared constraint (e.g. lock has `b/requirer` requiring `root/pkg
^1`, root composer.json now ships `2.x-dev`). The install ran
package operations against a lock that Composer would have rejected
with exit-code 2. Add a targeted check that walks each locked
package's requires, looks for ones aimed at the root's name, and
fails with the same "found root/pkg[X.x-dev] but it does not match
the constraint" pointer Composer prints from `Problem::getPrettyString`.
|
|
Two related parity gaps surfaced by the `alias-with-reference` fixture:
1. A root require like `dev-main#abcd as 1.0.0` left the SAT-side
constraint as `dev-main#abcd`, which no candidate matched, so
resolution failed before the alias could be materialized. Mirror
Composer's `extractAliases` regex (which captures only the
constraint up to `#`) and `RootPackageLoader::extractReferences`
(which records the hash separately): drop the trailing `#hex` from
the resolver-side constraint and from the alias's left-hand side.
Lockfile generation already pulls the reference back out of the
raw require map for the post-resolve override.
2. `MarkAliasInstalled`'s trace line gated the reference suffix on
the *target* package's stability, so a stable alias like `1.0.0`
pointing at a dev-branch target rendered as `1.0.0 abcd`. Mirror
`AliasPackage::getFullPrettyVersion`: the alias decides on its own
whether to append the suffix based on its own normalized version,
so a stable alias skips the suffix even when the target is dev.
|
|
A partial update reuses every non-allow-listed locked package as a
fixed pool entry, ignoring stability filters. So when a user tightens
`minimum-stability` (or drops a `stability-flags` entry the lock used
to ride on), Mozart silently kept the rejected version and produced a
plan Composer would have failed on. Mirror Composer's
`Pool::isUnacceptableFixedOrLockedPackage` path: walk the locked
packages before pool construction, surface every entry whose version
no longer passes `passes_stability_filter`, and bail with the same
"fixed to <v> (lock file version) ... rejected by your
minimum-stability" pointer Composer prints from
`Problem::getPrettyString`.
|
