Check if `symfony.lock` is up to date

[cs278]

We run composer symfony:recipes:install in our CI pipeline to check that the symfony.lock file doesn't have any updates that are missing from the PR, usually these originate from dependabot, if the symfony.lock file has uncommitted changes after running flex we fail the build.

We've since discovered that the symfony:recipes:install command will exit with an error if you are not authenticated with any of your repositories, however by the time it exits symfony.lock has already been modified with the packages that are missing. If you run the command again it now passes even though the previous run failed, perhaps it should reverse the changes to symfony.lock?

Could a new command that just checks if the symfony.lock file is up to date and exits with an error if not, skipping the rest of the work that the symfony:recipes:install command does, be added for use in CI pipelines?

[nicolas-grekas]

Can you try composer recipes?

[cs278]

Can you try composer recipes?

Doesn't modify the symfony.lock, or tell you what's missing from the file.

[maxhelias]

You can use the -o flag to display only the out-of-date recipes with a code exit 1

[cs278]

Perhaps a worked example would help explain things.

Environment set up

cd $(mktemp -d)
git init .
echo /vendor > .gitignore
git add .gitignore
git commit -m init
composer require symfony/flex
$ git add . && git commit -m flex

I'm not talking about recipes directly, if you install a new package it gets added to the symfony.lock for example:

$ composer require psr/log
$ git diff symfony.lock
diff --git a/symfony.lock b/symfony.lock
index d67ef32..a45ba9c 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -1,4 +1,7 @@
 {
+    "psr/log": {
+        "version": "1.1.4"
+    },
     "symfony/flex": {
         "version": "1.17",
         "recipe": {
$ git reset --hard

However if you install a no package without the flex plugin loaded (e.g. dependabot):

$ composer require --no-plugins psr/log
$ git diff symfony.lock
# Nothing

It's not an out of date recipes so the following doesn't help:

$ composer recipes -o
name             : symfony/flex
version          : 1.17
status           : up to date
installed recipe : https://github.com/symfony/recipes/tree/master/symfony/flex/1.17
files            : 

└──.env
$ git diff
# Nothing

Now run symfony:recipes:install and the symfony.lock file gets modified:

$ composer symfony:recipes:install
$ git diff symfony.lock
diff --git a/symfony.lock b/symfony.lock
index d67ef32..a45ba9c 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -1,4 +1,7 @@
 {
+    "psr/log": {
+        "version": "1.1.4"
+    },
     "symfony/flex": {
         "version": "1.17",
         "recipe": {

What would be ideal is having a command (or option) that either does that modification without talking to remote package repositories or one that simply checks if the symfony.lock file is in sync.

[nicolas-grekas]

composer update php could be the solution, at least once #869 is merged.
Feel free to submit a PR if not.