Skip to content

Update packagist to API p2#662

Merged
elrayle merged 2 commits intomasterfrom
elr/packagist-p2
Dec 8, 2025
Merged

Update packagist to API p2#662
elrayle merged 2 commits intomasterfrom
elr/packagist-p2

Conversation

@elrayle
Copy link
Collaborator

@elrayle elrayle commented Dec 4, 2025

The composer API in use for importing from the package manager is deprecated as of Sept 1. It now returns a 403 for all requests.

This PR updates packagist calls to the p2 endpoint. The format of that endpoint has changed. The mock data is the result of the actual call to that endpoint.

curl "https://repo.packagist.org/p2/symfony/polyfill-mbstring.json"

Added a test to directly test that _getRegistryData processes data in the p2 format.

@elrayle elrayle force-pushed the elr/packagist-p2 branch 3 times, most recently from 5e12eb5 to 360209e Compare December 4, 2025 19:53
@elrayle elrayle marked this pull request as ready for review December 4, 2025 20:10
@elrayle
Copy link
Collaborator Author

elrayle commented Dec 4, 2025

Deployed to dev and ran a test with cd:/composer/packagist/symfony/clock/v6.4.24. I confirmed that it was processed and extracted the expected license.

qtomlinson
qtomlinson reviewed Dec 5, 2025
View reviewed changes
Copy link
Collaborator

@qtomlinson qtomlinson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, and thanks for your contribution! This will definitely improve Composer package harvesting.

Just a note: ClearlyDefined also tries to harvest source (e.g., GitHub) components during source discovery, using registry metadata. Composer v2 metadata (p2 API) is compressed—only the latest version has full metadata, while older versions are diffs and may miss key fields like homepage, dist, and source. These fields are used during source discovery in composerExtract.js.

To restore full metadata for any version, you can use logic similar to Composer\MetadataMinifier\MetadataMinifier::expand() (see "Getting the Package Data, Using the Composer v2 metadata" at https://packagist.org/apidoc). Alternatively, the package API provides complete metadata for all versions (see "Getting the Package Data, Using the API" at https://packagist.org/apidoc).

This pull request addresses most of the cases. Some cases that rely on the full registry data can be addressed in a separate pull request.

@elrayle
remove extra slash
9cea2b9 
A previous issue in the code: providerMap.packagist contains trailing /, so the template string results in `https://repo.packagist.org//p2/symfony/polyfill-mbstring.json`.  This removes the extra slash.
@elrayle
Copy link
Collaborator Author

elrayle commented Dec 8, 2025

Adding in the expand process is more involved and better to push off to another PR.

@elrayle elrayle merged commit 17a5eef into master Dec 8, 2025
2 checks passed
@elrayle elrayle deleted the elr/packagist-p2 branch December 8, 2025 18:53
@qtomlinson
Copy link
Collaborator

qtomlinson commented Dec 19, 2025

@elrayle In the integration test run, Failure Case 1 (expected to return the same definition as production for composer/packagist/symfony/polyfill-mbstring/v1.28.0) and Failure Case 3 (expected to return the same notice as production for the same package and version) are likely caused by changes in the registry data. In both cases, the discrepancies are related to the project website information retrieved from the registry. Expanding the registry data for older versions likely will resolve these issues.

@qtomlinson qtomlinson mentioned this pull request Feb 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qtomlinson qtomlinson qtomlinson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elrayle @qtomlinson