A fast, reliable, and secure NPM/Yarn bridge for Composer

This project looks great, and I'm really excited about the prospect of finally being able to manage the front-end dependencies of our Composer packages!

As of yet, I haven't had any luck trying it out though - every composer install or composer update ends with an npm error.

Here's the (verbose) output:

$ composer install -v
KODUS 2 installer enabled
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Dependency resolution completed in 0.002 seconds
Analyzed 290 packages to resolve dependencies
Analyzed 1058 rules to resolve dependencies
Nothing to install or update
Package http-interop/http-server-handler is abandoned, you should avoid using it. Use psr/http-server-handler instead.
Package http-interop/http-server-middleware is abandoned, you should avoid using it. Use psr/http-server-middleware instead.
Generating autoload files
Merging Composer dependencies in the asset package
Installing npm dependencies
npm ERR! Invalid version: "dev-master"

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mindplay/.npm/_logs/2018-09-06T09_16_38_957Z-debug.log
Fallback to previous state for the Asset package
Fallback to previous state for Composer
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Dependency resolution completed in 0.003 seconds
Analyzed 290 packages to resolve dependencies
Analyzed 1058 rules to resolve dependencies
Nothing to install or update
Package http-interop/http-server-handler is abandoned, you should avoid using it. Use psr/http-server-handler instead.
Package http-interop/http-server-middleware is abandoned, you should avoid using it. Use psr/http-server-middleware instead.
Generating autoload files


  [RuntimeException]
  The asset manager ended with an error


Exception trace:
 () at /mnt/c/workspace/test/staging_project/vendor/foxy/foxy/Solver/Solver.php:108
 Foxy\Solver\Solver->solve() at /mnt/c/workspace/test/staging_project/vendor/foxy/foxy/Foxy.php:131
 Foxy\Foxy->solveAssets() at n/a:n/a
 call_user_func() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:176
 Composer\EventDispatcher\EventDispatcher->doDispatch() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:96
 Composer\EventDispatcher\EventDispatcher->dispatchScript() at phar:///usr/bin/composer/src/Composer/Installer.php:323
 Composer\Installer->run() at phar:///usr/bin/composer/src/Composer/Command/InstallCommand.php:119
 Composer\Command\InstallCommand->execute() at phar:///usr/bin/composer/vendor/symfony/console/Command/Command.php:242
 Symfony\Component\Console\Command\Command->run() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:843
 Symfony\Component\Console\Application->doRunCommand() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:193
 Symfony\Component\Console\Application->doRun() at phar:///usr/bin/composer/src/Composer/Console/Application.php:251
 Composer\Console\Application->doRun() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:117
 Symfony\Component\Console\Application->run() at phar:///usr/bin/composer/src/Composer/Console/Application.php:100
 Composer\Console\Application->run() at phar:///usr/bin/composer/bin/composer:59
 require() at /usr/bin/composer:24

install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [--no-suggest] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--ignore-platform-reqs] [--] [<packages>]...

Here's the output of the debug log:

0 info it worked if it ends with ok
1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'install' ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session d6096af3659c374f
5 silly install runPreinstallTopLevelLifecycles
6 silly preinstall staging_project
7 info lifecycle @~preinstall: @
8 silly install loadCurrentTree
9 silly install readLocalPackageData
10 timing stage:loadCurrentTree Completed in 12ms
11 silly install loadIdealTree
12 silly install cloneCurrentTreeToIdealTree
13 timing stage:loadIdealTree:cloneCurrentTree Completed in 0ms
14 silly install loadShrinkwrap
15 timing stage:loadIdealTree:loadShrinkwrap Completed in 5ms
16 silly install loadAllDepsIntoIdealTree
17 silly fetchPackageMetaData error for @composer-asset/kodus--media@file:vendor/foxy/composer-asset/kodus/media Invalid version: "dev-master"
18 timing stage:rollbackFailedOptional Completed in 0ms
19 timing stage:runTopLevelLifecycles Completed in 251ms
20 silly saveTree staging_project
21 verbose stack Error: Invalid version: "dev-master"
21 verbose stack     at Object.fixVersionField (/usr/lib/node_modules/npm/node_modules/normalize-package-data/lib/fixer.js:191:13)
21 verbose stack     at /usr/lib/node_modules/npm/node_modules/normalize-package-data/lib/normalize.js:32:38
21 verbose stack     at Array.forEach (<anonymous>)
21 verbose stack     at normalize (/usr/lib/node_modules/npm/node_modules/normalize-package-data/lib/normalize.js:31:15)
21 verbose stack     at new Manifest (/usr/lib/node_modules/npm/node_modules/pacote/lib/finalize-manifest.js:121:3)
21 verbose stack     at tarballedProps.then.props (/usr/lib/node_modules/npm/node_modules/pacote/lib/finalize-manifest.js:50:13)
21 verbose stack     at tryCatcher (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
21 verbose stack     at Promise._settlePromiseFromHandler (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
21 verbose stack     at Promise._settlePromise (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
21 verbose stack     at Promise._settlePromiseCtx (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:606:10)
21 verbose stack     at Async._drainQueue (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:138:12)
21 verbose stack     at Async._drainQueues (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:143:10)
21 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
21 verbose stack     at runCallback (timers.js:763:18)
21 verbose stack     at tryOnImmediate (timers.js:734:5)
21 verbose stack     at processImmediate (timers.js:716:5)
22 verbose cwd /mnt/c/workspace/test/staging_project
23 verbose Linux 4.4.0-17134-Microsoft
24 verbose argv "/usr/bin/node" "/usr/bin/npm" "install"
25 verbose node v9.11.2
26 verbose npm  v6.3.0
27 error Invalid version: "dev-master"
28 verbose exit [ 1, true ]

I am just trying it out, so for now, I've manually listed two packages that have package files via configuration in my project's composer.json:

    "config": {
        "foxy": {
            "enable-packages": {
                "kodus/media": true,
                "kodus/media-admin": true
            }
        }
    }

Both of these packages are on unable dev-branches, both named 1.0.0.

The package.json files in those two packages both list some "dependencies" for some npm packages.

If understand correctly, the idea is Foxy will aggregate these to a collective package.json for the project containing all the npm-dependencies of those two packages?

Any idea what I'm doing wrong?

composer-plugin-api for upcoming Composer 2 (can be installed with composer self-update --snapshot) has version 2.0.0.

The foxy/foxy package requires composer-plugin-api version 1.0.0 thus can't be used with Composer 2.

Suppose I have a library that needs some npm package(s). Normally I would just assume these assets are manually installed (and therefore located in the node_modules folder). Obviously when using foxy this will no longer be the case.

How would my library know where to look for the assets? Should foxy create something like symlinks to the main node_modules folder? Or should it somehow make the location of that folder available to the PHP world?

On the PHP side with composer we basically no longer care about paths since we have autoloading; for assets however we still need the path or the URL or a way to publish them without knowing the path. Ideally we would want to support this without requiring changes in the libraries themselves...

Related to https://github.com/foxypkg/foxy/issues/3#issuecomment-328782568

Besides that, it would be nice to have to possibility to define a custom packages.json file/path.

I am working on a way to provide asset installation even without npm or yarn installed - just for quick-starting projects.

An idea woud be to use https://asset-packagist.org/ in conjunction with https://github.com/wikimedia/composer-merge-plugin - having asset definitions in separate files like composer.asset.json (described also in https://github.com/yiisoft/yii2/issues/14862#issuecomment-369303919) - they only define npm-asset/xyz...

Would it be an option for foxy to use those files instead of packages.json as a fallback?

The README mentions:

All features and tools are available: Npmrc, Yarnrc, Webpack, Gulp, Grunt, Babel, TypeScript, Scss/Sass, Less, etc.

These are all tools you'd use at development-time, meaning the source-code itself is going to have build-time dependencies on specific version of tools like tsc, node-sass, webpack, etc.

It's my understanding that devDependencies aren't aggregated like dependencies?

I should explain what I'm hoping to do: I'd like to use Foxy to aggregate the npm-dependencies of Composer packages - then use webpack at the project-level to build and bundle all the front-end dependencies of the Composer packages.

To run webpack, I'll need common dev-dependencies like Typescript and node-sass, etc.

In order for that to work, it's important to come up with a common set of dev-dependencies at the project-level - for example, a project that requires a Composer packages that has a devDependency on typescript^2 should conflict with another Composer package that requires typescript^3.

Same for node-sass, and for webpack itself, and so on.

Is this use-case supported? Will it support a truly modular architecture, in which Composer packages effectively contribute both server-side and front-end dependencies?

Or how do you use Foxy in practice? (I have read the documentation, but it's quite abstract and seems to mostly deal with technical details like using/configuring the tool, and only a brief overview of the practical use-cases? Please let me know if I've overlooked something!)

Running in a Docker container...

/ # ./composer.phar require foxy/foxy:@dev
Do not run Composer as root/super user! See https://getcomposer.org/root for details
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing foxy/foxy (dev-master 8857b24): Cloning 8857b2426a from cache
Writing lock file
Generating autoload files
Installing npm dependencies
npm ERR! Linux 4.9.0-3-amd64
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install"
npm ERR! node v6.7.0
npm ERR! npm  v3.10.3
npm ERR! code EINVALIDTYPE

npm ERR! typeerror Error: Argument #1: Expected object but got array
npm ERR! typeerror     at moduleName (/usr/lib/node_modules/npm/lib/utils/module-name.js:25:3)
npm ERR! typeerror     at module.exports (/usr/lib/node_modules/npm/lib/utils/package-id.js:9:14)
npm ERR! typeerror     at build.linkStuff (/usr/lib/node_modules/npm/lib/build.js:105:25)
npm ERR! typeerror     at Array.<anonymous> (/usr/lib/node_modules/npm/node_modules/slide/lib/bind-actor.js:15:8)
npm ERR! typeerror     at LOOP (/usr/lib/node_modules/npm/node_modules/slide/lib/chain.js:15:14)
npm ERR! typeerror     at chain (/usr/lib/node_modules/npm/node_modules/slide/lib/chain.js:20:5)
npm ERR! typeerror     at module.exports (/usr/lib/node_modules/npm/lib/install/action/build.js:9:3)
npm ERR! typeerror     at actions.(anonymous function) (/usr/lib/node_modules/npm/lib/install/actions.js:48:12)
npm ERR! typeerror     at execAction (/usr/lib/node_modules/npm/lib/install/actions.js:98:7)
npm ERR! typeerror     at exports.doOne (/usr/lib/node_modules/npm/lib/install/actions.js:103:3)
npm ERR! typeerror This is an error with npm itself. Please report this error at:
npm ERR! typeerror     <http://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     /npm-debug.log
Fallback to previous state for the Asset package
Fallback to previous state for Composer

Installation failed, deleting ./composer.json.

                                         
  [RuntimeException]                     
  The asset manager ended with an error  
                                         

require [--dev] [--prefer-source] [--prefer-dist] [--no-progress] [--no-suggest] [--no-update] [--no-scripts] [--update-no-dev] [--update-with-dependencies] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [--sort-packages] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--] [<packages>]...

[update]

Looks like a missing packages.json, should be auto-created.

Even though I have this conifg:

    "config": {
        "foxy": {
            "enabled": false,
            "manager": "yarn",
            "enable-packages": {
                "*": true
            }
        },
    }

I get this error

Installs: foxy/foxy:dev-master c8225f7, psr/http-message:1.0.1, psr/log:1.0.2, psr/simple-cache:1.0.0, cebe/markdown:1.1.2, yiisoft/yii2-dev:2.1.x-dev 603c084, codemix/yii2-streamlog:1.2.1
  - Installing foxy/foxy (dev-master c8225f7): Cloning c8225f715cbe0b9310972e3d67ca15955691a26e from cache
Plugin installation failed, rolling back
  - Removing foxy/foxy (dev-master)

                                          
  [Foxy\Exception\RuntimeException]       
  The binary of "yarn" must be installed  
                                          

Upgrade will update all packages to lastest version.

Install not.

If I create a project, then I need add a package after few days. upgrade will update all packages, install will only install that package I need. I think install is correct.

Could there be a functionality to support cap syntax? Like so...

• convert npm- into entries in packages.json.
• don't use them in composer solver
• run composer installation
• run foxy

Maybe even with a mapping for bower-Xyz.js to npm-xyz if needed. (optional)

Situation is the following: package.json of library

[...]
"dependencies": {
    "example": "1",
  }
[...]

composer.json of project

[...]
"require-dev": {
    "library-name" : "1.0"
},
[...]

resulting package.json of project after installation with foxy

[...]
"dependencies": {
    "@library-name": "file:./vendor/foxy/composer-asset/library-name"
}
[...]

expected result in package.json

[...]
"devDependencies": {
    "@library-name": "file:./vendor/foxy/composer-asset/library-name"
}
[...]

I'm not quite sure if I overlooked something in the documentation or if there is another way to get foxy to do what we like it to do. As it is right now we found no way to make foxy install dev dependencies as such. As they are absent when we do a composer install --no-dev we get npm errors.

I'm running composer install and found that package-lock.json has been altered. We're committing the lock file. How to prevent updating an existing lock?