As of January 30th, Drupal Infrastructure deployed the official method for building all of the tarballs for drupal 8.8 and higher using composer create-project to leverage the templates that instead of using git-archive.
As a side effect of this, we realized that we had introduced a subtle change to the way that "development tarballs" are produced.
The subtle change is that the -dev versions of the tarballs are not getting "locked" versions of the core -dev dependencies, and are allowed to float to the most recent version of the dev deps.
Those affected are users who are both
A. Using the development version of the tarballs for 8.8.x-dev/8.9.x-dev/9.0.x-dev and
B. Using any of the "dev" functions of core, like running phpunit etc.
The impact of this is that the users may end up with results that differ from core has in their development process.
We have a few choices on how to mitigate this issue:
- A. Leave it this way, tell people that -dev dependencies will no longer be 'pinned' to what core tested against, and let the deps float. (Zero Work)
- B. Change the drupal/legacy-template to use the drupal/core-dev-pinned metapackage, which would pin the development version to the exact version that core ships with. The disadvantage is that anybody using composer to start on a dev version of core, using the 'legacy-template', they will have difficulties/complexities upgrading to a newer version of core that contains updates to the development dependencies.
- C. Change the subtree splitter that generates the lockfiles for drupal/legacy-template so that it gets the pinned versions of the dev dependencies that ship with core. (This implies that composer users starting with -dev versions will have to include --no-dev if they do not want development versions)
- D. Stop providing the require-dev dependencies into the -dev tarballs. (See: #3086489: Exclude development libraries from templates' composer.json by default)
A cursory analysis of the analytics (users using browsers, downloading tarballs from drupal.org) shows that 8.8.x-dev has only had ~ 600 total downloads since march. (I didnt pull the actual web logs as they're in glacier, and that costs money to retrieve to analyze)
We don't have any evidence or known use cases of users showing that the development dependencies in the dev tarballs are necessary to their workflow. We only really know that they are there now, so its plausible that somebody, somewhere, has a workflow that needs it. (https://xkcd.com/1172/)
11qaz
Release note
As of February 1, 2020, this development tarball may contain versions of Composer development dependencies (like PHPUnit and Coder) updated from the particular versions specified Drupal core's composer.lock file. This only affects sites installing the development tarball and then using the included development tools. Development tarballs are not recommended for use on production sites as development tools may not meet security requirements.