Hello, i just started to update our b2b 202009 based project starting with all the minor updates. Se

UPWG9AYH2

Hello,
i just started to update our b2b 202009 based project starting with all the minor updates. Seems the most updates has been applied and composer does not complain about an invalid package state.
However, when i run the shop there is immediately an error when entering the login page.

ErrorException - FATAL ERROR - Declaration of Spryker\Zed\SecurityOauthUser\Communication\Plugin\Security\Provider\OauthUserProvider::loadUserByUsername(string $username) must be compatible with Symfony\Component\Security\Core\User\UserProviderInterface::loadUserByUsername($username)

So, no error on project level.
There is an error, because spryker has declared the params type in the function extension, but the interface does not. So its incompatible now.
I was wondering what changed and it worked before but it seems something strange happened:
The minor update seemed to downgrade some modules like symfony/security-core … before it was v5.2.5 … now its v4.4.31 … also, none of the advanced composer update commands does solve the problem (e.g. -W, ignore plaform deps etc.)

Looking at the current spryker/symfony:3.7.0 (before update 3.5.1)there are some deps like

…
“symfony/security-core”: “^4.4.13 || ^5.2.8",
“symfony/security-guard”: “^4.4.13 || ^5.2.8",
“symfony/security-http”: “^4.4.13 || ^5.2.8",
…

It feels like composer favours on of the 4.x.xx version over the 5.x.x but i cant figure out why.

With the previous 3.5.1 version of spryker/symfony there where just the depdency with

…
“symfony/security-core”: “^4.4.13 || ^5.0.0",
“symfony/security-guard”: “^4.4.13 || ^5.0.0",
“symfony/security-http”: “^4.4.13 || ^5.0.7",
…

which resulted in core:v5.2.5, guard:v5.2.4 and http:v5.1.11

Tracing the dependencies of the core guard and http modules i am running in circles

composer why-not symfony/security-core:v5.2.8
symfony/security-http v4.4.30 requires symfony/security-core (^4.4.8)
composer why-not symfony/security-http:v5.2.8
symfony/security-guard   v4.4.27 requires     symfony/security-http (^4.4.1)
composer why-not symfony/security-guard:v5.2.8
symfony/security-guard   v5.2.8 requires     symfony/security-core (^5.0)

I guess there is somewhere a broken dep between the modules since composer does not complain but the interface is broken … any idea what to do? What do i miss?

Best

giovanni.piemontese

In your composer.json just:
"symfony/security-core": "^4.4.13 || ~5.2.8"
then u have sf 5.3 but only security core to 5.2.x that it is compatible with spryker security plugin

UPWG9AYH2

Hi Giovanni,
let me try that. Strange anyway if there are no conflicts but problems for real

Andriy Netseplyayev

yes, I had a similar one (it’s already known internally) - after update composer has found 2 possible package sets - one with Symfony 4.4 and one with 5.2. And by default it preferred to go with lower version and degraded the Symfony package I had before (since it was not explicitly fixed). But SecurityOauthUser was apparently compatible only with Symfony 5.
So I had to explicitly do composer require ..my package.. symfony/security-core:"^5.2.0" --with-all-dependencies

UPWG9AYH2

Hey Andriy,
requiring explicit with 5.x.x with all deps seems to solve the problem for me too.
Best