dev #86

coderabbitai · 2026-05-29T12:01:48Z

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== Check composer.json constraints ==" python - <<'PY' import json with open("composer.json") as f: data = json.load(f) req = data.get("require", {}) for name in ("phplist/core", "tatevikgr/rest-api-client"): print(f"{name}: {req.get(name)}") PY echo echo "== Verify remote branches exist ==" git ls-remote --heads https://github.com/phpList/core.git dev dev-dev main || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev dev-dev main || true echo echo "== Verify lockfile pins commits for these packages (if lockfile exists) ==" if [ -f composer.lock ]; then python - <<'PY' import json with open("composer.lock") as f: lock = json.load(f) pkgs = {p["name"]: p for p in lock.get("packages", [])} for name in ("phplist/core", "tatevikgr/rest-api-client"): p = pkgs.get(name) if not p: print(f"{name}: NOT FOUND in composer.lock") continue print(f"{name}: version={p.get('version')} reference={p.get('source',{}).get('reference')}") PY else echo "composer.lock not found" fi

Repository: phpList/web-frontend

Length of output: 521

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== composer.json constraints ==" python - <<'PY' import json with open("composer.json") as f: data = json.load(f) req = data.get("require", {}) for name in ("phplist/core", "tatevikgr/rest-api-client"): print(f"{name}: {req.get(name)}") PY echo echo "== Check composer.lock exists (reproducibility) ==" if [ -f composer.lock ]; then echo "composer.lock: present" else echo "composer.lock: MISSING" fi echo echo "== Verify upstream 'dev' branches exist (dev-dev maps to branch 'dev') ==" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 415

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== composer.json constraints ==" python - <<'PY' import json with open("composer.json") as f: data = json.load(f) req = data.get("require", {}) for name in ("phplist/core", "tatevikgr/rest-api-client"): print(f"{name}: {req.get(name)}") PY echo echo "== Check composer.lock exists (reproducibility) ==" if [ -f composer.lock ]; then echo "composer.lock: present" else echo "composer.lock: MISSING" fi echo echo "== Verify upstream 'dev' branches exist (dev-dev maps to branch 'dev') ==" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 415

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== composer.lock reproducibility check ==" test -f composer.lock && echo "composer.lock: present" || echo "composer.lock: MISSING" echo echo "== upstream branch check (dev) for floating dev-dev constraints ==" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 309

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== composer.lock reproducibility check ==" test -f composer.lock && echo "composer.lock: present" || echo "composer.lock: MISSING" echo echo "== upstream branch check (dev) for floating dev-dev constraints ==" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 309

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== composer.lock reproducibility check ==" test -f composer.lock && echo "composer.lock: present" || echo "composer.lock: MISSING" echo echo "== upstream branch check (dev) for floating dev-dev constraints ==" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 309

🏁 Script executed:

#!/bin/bash set -euo pipefail test -f composer.lock && echo "composer.lock: present" || echo "composer.lock: MISSING" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 199

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "composer.lock:" test -f composer.lock && echo "present" || echo "MISSING" echo echo "upstream dev branches:" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 223

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "composer.lock:" test -f composer.lock && echo "present" || echo "MISSING" echo echo "upstream dev branches:" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true echo echo "composer.json constraints:" python - <<'PY' import json with open("composer.json") as f: data = json.load(f) req = data.get("require", {}) for name in ("phplist/core", "tatevikgr/rest-api-client"): print(f"{name}: {req.get(name)}") PY

Repository: phpList/web-frontend

Length of output: 308

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "composer.lock:" test -f composer.lock && echo "present" || echo "MISSING" echo echo "composer.json constraints:" python - <<'PY' import json with open("composer.json") as f: data = json.load(f) req = data.get("require", {}) for name in ("phplist/core", "tatevikgr/rest-api-client"): print(f"{name}: {req.get(name)}") PY echo echo "upstream dev branches (what dev-dev tracks):" git ls-remote --heads https://github.com/phpList/core.git dev || true git ls-remote --heads https://github.com/tatevikgr/phplist-api-client.git dev || true

Repository: phpList/web-frontend

Length of output: 330

Pin phplist/core and tatevikgr/rest-api-client to immutable refs (and commit composer.lock)

composer.json sets both phplist/core and tatevikgr/rest-api-client to dev-dev, which tracks the upstream moving dev branches. With composer.lock missing, installs/deploys won’t be reproducible and can drift.

Replace dev-dev with a tag/commit reference (immutable).

Generate and commit composer.lock so Composer pins exact commit hashes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@composer.json` around lines 50 - 54, composer.json currently pins phplist/core and tatevikgr/rest-api-client to the floating alias "dev-dev", which makes installs non-reproducible; update both entries to an immutable version (a specific tagged version or a commit reference like "v1.2.3" or "dev-branch#commit-hash") instead of "dev-dev", then run composer update to regenerate composer.lock and commit the updated composer.json and the generated composer.lock so installs use exact resolved package hashes; look for the package keys "phplist/core" and "tatevikgr/rest-api-client" when making this change.

-Original file line number
+Diff line change
@@ Expand Up / @@ -47,11 +47,11 @@ @@
         },
         "require": {
             "php": "^8.1",
-            "phplist/core": "dev-main",
+            "phplist/core": "dev-dev",
             "symfony/twig-bundle": "^6.4",
             "symfony/webpack-encore-bundle": "^2.2",
             "symfony/security-bundle": "^6.4",
-            "tatevikgr/rest-api-client": "dev-main"
+            "tatevikgr/rest-api-client": "dev-dev"
         },
         "require-dev": {
             "phpunit/phpunit": "^9.5",
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dev #86

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 29, 2026

Uh oh!

Uh oh!

Uh oh!

dev #86

Are you sure you want to change the base?

dev #86

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!