chore: fix Roave BC check (composer >= 2.9.8) and restrict phpunit < 13.2#1127
Merged
Conversation
The Roave BC check runs `composer/composer` in-process (via
LocateDependenciesViaComposer) to install the old/new versions' deps.
The locked composer/composer 2.9.3 validates GitHub OAuth tokens with
`{^[.A-Za-z0-9_]+$}`, which rejects GitHub's new App installation token
format `ghs_<id>_<base64url-JWT>` (it contains hyphens), crashing the
check with "github oauth token contains invalid characters".
composer/composer 2.9.8 fixes this (CVE-2026-45793 / GHSA-f9f8-rm49-7jv2)
by relaxing the validation. Pin >= 2.9.8 and regenerate the lock so the
in-process composer used by Roave accepts the new token format.
The bare `bin/tools/bc-check` path filter never matched files inside the directory, so changes to the BC check tooling did not re-run the check. Use a recursive glob so tooling bumps are validated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Roave BC Check job is currently red on every PR (e.g. #1085). It is not a real backward-compatibility break: the tool crashes before any comparison, while installing the previous version's dependencies, with:
Root cause
GitHub (re)deployed its new GitHub App installation token format
ghs_<id>_<base64url-JWT>, whose base64url part contains hyphens (-).Roave runs
composer/composerin-process (LocateDependenciesViaComposer→Composer\Installer) to install the old/new versions' deps. The lockedcomposer/composer2.9.3 validates GitHub tokens with{^[.A-Za-z0-9_]+$}— no hyphen allowed — so it throws and the check crashes (thegetcwderror is a downstream PSL consequence).composer/composer2.9.8 relaxes this validation (CVE-2026-45793 / GHSA-f9f8-rm49-7jv2). The green2.xruns simply predate GitHub's token rollout — a re-run would fail the same way.What
bin/tools/bc-check/composer.json: requirecomposer/composer: ^2.9.8and regenerate the lock. The in-process composer used by Roave is now 2.10.1 (which dropped the throwing validation entirely), so the new token format is accepted. The CI step (composer bin bc-check require roave/...) honours the^2.9.8floor.composer.json: restrict phpunit to~13.1.0(>=13.1.0 <13.2.0) to avoid the currently-broken phpunit 13.2.Verification
The Roave BC Check job on this PR should now perform the actual comparison and pass, instead of crashing on the token validation.