Skip to content

Update packagist to API p2 #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elrayle merged 2 commits into from
Dec 8, 2025
Merged

Update packagist to API p2 #662

elrayle merged 2 commits into from
Dec 8, 2025

Conversation

@elrayle
Copy link
Collaborator

@elrayle elrayle commented Dec 4, 2025

The composer API in use for importing from the package manager is deprecated as of Sept 1. It now returns a 403 for all requests.

This PR updates packagist calls to the p2 endpoint. The format of that endpoint has changed. The mock data is the result of the actual call to that endpoint.

curl "https://repo.packagist.org/p2/symfony/polyfill-mbstring.json"

Added a test to directly test that _getRegistryData processes data in the p2 format.

@elrayle elrayle force-pushed the elr/packagist-p2 branch 3 times, most recently from 5e12eb5 to 360209e Compare December 4, 2025 19:53
@elrayle elrayle marked this pull request as ready for review December 4, 2025 20:10
@elrayle
Copy link
Collaborator Author

elrayle commented Dec 4, 2025

Deployed to dev and ran a test with cd:/composer/packagist/symfony/clock/v6.4.24. I confirmed that it was processed and extracted the expected license.

qtomlinson
qtomlinson reviewed Dec 5, 2025
View reviewed changes
Copy link
Collaborator

@qtomlinson qtomlinson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, and thanks for your contribution! This will definitely improve Composer package harvesting.

Just a note: ClearlyDefined also tries to harvest source (e.g., GitHub) components during source discovery, using registry metadata. Composer v2 metadata (p2 API) is compressed—only the latest version has full metadata, while older versions are diffs and may miss key fields like homepage, dist, and source. These fields are used during source discovery in composerExtract.js.

To restore full metadata for any version, you can use logic similar to Composer\MetadataMinifier\MetadataMinifier::expand() (see "Getting the Package Data, Using the Composer v2 metadata" at https://packagist.org/apidoc). Alternatively, the package API provides complete metadata for all versions (see "Getting the Package Data, Using the API" at https://packagist.org/apidoc).

This pull request addresses most of the cases. Some cases that rely on the full registry data can be addressed in a separate pull request.

@elrayle
remove extra slash
9cea2b9 
A previous issue in the code: providerMap.packagist contains trailing /, so the template string results in `https://repo.packagist.org//p2/symfony/polyfill-mbstring.json`.  This removes the extra slash.
@elrayle
Copy link
Collaborator Author

elrayle commented Dec 8, 2025

Adding in the expand process is more involved and better to push off to another PR.

@elrayle elrayle merged commit 17a5eef into master Dec 8, 2025
2 checks passed
@elrayle elrayle deleted the elr/packagist-p2 branch December 8, 2025 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qtomlinson qtomlinson qtomlinson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elrayle @qtomlinson