Expire comment by composer dependency package version

[staabm]

closes #31

[staabm]

@nikophil wdyt? feedback welcome

[staabm]

@m29corey maybe you can run this against some real world projects to see possible perf impact?

[VincentLanglet]

Hi, this seems to be a great idea.

In some personal open source project, I encounter the situation where I have code to support both Symfony 6 and 7 (for example) ; with a composer constraint

"symfony/symfony": "^6 || ^7"

and with a comment in my code

TODO Remove this when dropping Symfony 6 support

And even if locally my composer.lock use SF 7, I would expect to not have the error until I remove ^6 from the composer.json.

Does this PR could satisfy this need ?

[nikophil]

wow this was fast 😅

actually my rule is looking pretty much not different from yours!

[nikophil]

wouldn't this test fail when using phpunit 10? 🤔

[staabm]

right, I had had the logic reversed. I think all feedback is addressed now

[nikophil]

and now your rule looks even closer from mine 😅

[nikophil]

I've also added a way to test against php version. I've done my rule few month ago, but I think if I've done this because InstalledVersions::satisfies() or InstalledVersions::isInstalled() do not recognize php as a dependency:

if ('php' === $dependency) {
    if (\version_compare(\PHP_VERSION, $constraint, '>=')) {
$errors[] = \sprintf('dependency "%s" satisfies constraint "%s"%s', $dependency, $constraint, $message ? ": {$message}." : '.');
    }

    continue;
}

[nikophil]

actually I've done my check the other way around, and the rule fails when constraint is satisfied

phpunit/phpunit:>=10

I think it reads better: "please phpstan, fail when phpunit meets this dependency"

About this specific todo: phpunit/phpunit:5.3.*, I think it would not fail when phpunit is at 5.3.*
but it will if we have phpunit>=5.4.0 and phpunit<5.3, which seems pretty strange

My take was to always add >= if the constraint does not specifies it

[nikophil]

@VincentLanglet I don't think this PR satisfies your need: it only looks on what is currently required by composer.lock but does not read composer.json which is what you'd need

[staabm]

I've also added a way to test against php version. I've done my rule few month ago, but I think if I've done this because InstalledVersions::satisfies() or InstalledVersions::isInstalled() do not recognize php as a dependency:

if ('php' === $dependency) {
    if (\version_compare(\PHP_VERSION, $constraint, '>=')) {
$errors[] = \sprintf('dependency "%s" satisfies constraint "%s"%s', $dependency, $constraint, $message ? ": {$message}." : '.');
    }

    continue;
}

I have similar stuff locally. what I don't like is, that this code depends on the runtime php version. I would want to compare the composer.json php requirement against the comment constraint.. I haven't found a way to achieve that though :)

[staabm]

Does this PR could satisfy this need ?

@VincentLanglet I think it kind of satiesfies it, but in an unexpected way. the result of the check depends on your composer.lock, which means it compares against the constraints which have been installed with composer install.

this means as long as you run the check against a composer.lock which was generated with the minimum supported php version of your package, it should work