fix(composer): resolve *-dev versions from the ~dev metadata file#174
Merged
Conversation
andrew
approved these changes
Jun 26, 2026
andrew
left a comment
andrew
left a comment
Contributor
There was a problem hiding this comment.
Verified the bug against live Packagist and traced the request path end to end. The fix is correct and the refactor is clean. The net/http / httptest imports in the test are the standard way to mock an upstream server in Go, nothing to worry about there. Thanks for the contribution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Disclosure
this pr was created using claude opus. i'm a php developer and think i understand most of the changes but prolly can't defend some (e.g the
net/*requirements in the test). the issue was that the proxy could not cache -dev packages and this appears to fix it without breaking the non -dev caching for composer...Summary
Composer dev dependencies (e.g.
3.x-dev,dev-master) could not be installedfrom dist through the proxy. The download handler only ever fetched the regular
{vendor}/{package}.jsonmetadata file, but Packagist serves developmentversions from a separate
{vendor}/{package}~dev.jsonfile. As a result thedist URL was never found, the handler returned
404, and Composer silently fellback to a full git clone.
What changed
handleDownloadnow consults both metadata files. The file most likely tocontain the requested version is tried first, with the other as a fallback:
~devfile first, then the regular file~devfileisDevVersionto classify Composer version strings(
dev-<branch>/<alias>-dev).metadataURLsForVersionto build the ordered list of candidatemetadata URLs.
findDownloadURLFromMetadata. A missing document (non-200) or a missingversion now yields an empty string so the caller can fall back to the other
file; only transport failures return an error.
Testing
TestComposerDownloadDevVersionUsesDevMetadata, a regression test thatserves both metadata files from a mock upstream and asserts that:
~devfile first) resolves the correctdist URL.