-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Joomla Version and dependencies for 5.0 #38209
Conversation
3ac1fc9
to
2bd85bf
Compare
@nikosdion since we support only 8.1 and the current webauthn lib (2.x) in't compatible can you have a look someone in the future to update this libraries then we can have a proper composer.lock again. thanks |
@HLeithner There is no other WebAuthn library for PHP. That's the only one which actually works, the work to produce one is way too much, therefore nobody else really tries to. Every few months, when a maintainer tries to update dependencies, this discussion keeps coming back. I had said ten years ago that Composer is NOT a good idea for mass–distributed software which needs to run in a far wider range of supported environments, especially PHP versions, than third party library developers are willing to support. I was told I was against progress or that I don't understand how PHP software development works — despite the fact that I was only saying that because it had been just a few months since I had tried using the official Amazon AWS SDK for PHP through Composer and ran into these problems myself. You keep bumping onto that unsolvable problem You have exactly three options:
You can't have your pie and eat it too. I've tried. It doesn't work. I ended up reinventing the wheel to avoid third party dependencies in my software but that only works for me because I use a tiny subset of features. If it's something more substantial and I absolutely need a third party dependency, like WebAuth, I go with the third option. If you have a fourth option I'd like to hear it. PS: Using Rector to “upgrade” the code to be compatible with a future PHP version falls under case number 2. Been there, done that, it gets exponentially harder. I am only doing this for ONE dependency (Horde IMAP) and only because nobody and nothing else supports XOAUTH2 for fetching and sending email with G Suite accounts. It sucks exactly as much as you think and even more. As I said, I've been there and done that — all of that — already. There is no magic solution I know of but if anyone has one I'd love to hear it! It'd save me a lot of pain. |
BTW, for automated tests and for building Joomla releases you already have the minimum version in composer.json as the platform environment. This means that the old WebAuthn library version we use (version 2, when they are now on 4...) will install. This is the recommended way to do this when you have a minimum supported PHP version which does not match your local build environment. If you are referring to that, it does not need changing and it's not a workaround, it's legitimately how it should be done and the reason Composer offers that config option. Despite what its |
I thought we can upgrade to 4.1.x https://github.com/web-auth/webauthn-framework and was hoping that you can do the "migration" not sure if it is one. I'm not interested to maintaining our own version of web-authn-framework if not needed. Sorry if I expressed my self wrong. |
@HLeithner Aaaah! Now I get you. I thought you were worried about the maximum supported PHP version of the current library version :D Sure, we can definitely upgrade to version 4 of the library. If I don't already have the if-blocks in the current code I definitely have them in my repositories (LoginGuard where the MFA feature was forked from and PasswordlessLogin where the WebAuthn plugin was forked from). It's just a matter of me having some spare time... ...which means not in the next month :( I have a backlog of deep refactoring to do on my software which was pushed behind due to the Joomla 4.0 release and the need to migrate everything and make sure it's all polished before doing any deep architectural work. I also need to work on the developer docs and the Rector rules to auto-refactor Joomla 3 components. I think that come October or November at the latest I can work on the WebAuthn migration for both login and MFA with an inclusion target of the first betas of Joomla 4.3 at the latest. Does that sound in line with what you had in mind? |
I just realised you are talking about 5.0. So I guess my plan is in line with what you have in mind, never mind me :D |
Yes I'm talking about Joomla 5 so you have enough time ;-) upgrading composer is a pain but I think that can be solved differently in the mean time for the ci. Thanks and just take your time. |
@HLeithner So, I was taking a look at this a couple of days ago. Are you okay with me doing a MEGA-PR which updates the dependencies, MFA and WebAuthn in one go? It's the only way I can reasonably think will result in something testable. Right now all libraries are out of date and |
@HLeithner Well, we have a problem.
Version 4 of the library requires However, the Joomla Framework's Therefore we cannot upgrade the dependencies unless EITHER I know what I would do, but it's ultimately not my call, it's yours. Tell me how to proceed. As things are right now I cannot update Joomla 5's dependencies to even make it installable… |
I created #39123 which solves the dependency issues and upgraded webauthn to latest version. |
This Pull Request update the Joomla Version and the minium PHP requirements.
Additionally all composer packages and npm package has been updated based on the semver rule we set.
We have to check all packages to be updated to the latest current version.
For example symfony 6.1 is our target version (at this time) we have to upgrade and validate compatibility.
Some applies for all other 3rd party packages.