Fix PHP version selection regression when composer.lock has stale package constraints (issue #1220)

In v5 the buildpack incorrectly re-evaluated package-level PHP constraints from
composer.lock (e.g. "<8.3.0" written before PHP 8.3 existed) when selecting a
PHP version, causing apps with composer.json requiring "^8.3" to silently fall
back to the default PHP version.

Restore v4 semantics: only the top-level require.php in composer.json is used
for PHP version selection; package-level constraints in composer.lock are ignored.

- Remove readPHPConstraintsFromLock() and the lock-constraint filtering loop
- Update unit tests: remove the three tests asserting the old (buggy) behaviour,
  add regression test asserting 8.3.x is selected despite stale lock constraints
- Add integration test fixture fixtures/composer_83_version_selection/ with a
  minimal composer.json (php: ^8.3) and empty composer.lock (no packages to
  download), and a focused integration test that verifies end-to-end deployment
  on PHP 8.3

Author: ramonskie

fixtures/composer_83_version_selection/composer.json

@@ -0,0 +1,7 @@
+{
+    "name": "cloudfoundry/composer_83_version_selection",
+    "description": "Regression fixture for issue #1220: composer.json requires ^8.3 but composer.lock packages carry stale <8.3.0 upper-bound constraints",
+    "require": {
+        "php": "^8.3"
+    }
+}

fixtures/composer_83_version_selection/composer.lock

@@ -0,0 +1,5 @@
+<?php
+// Regression test for https://github.com/cloudfoundry/php-buildpack/issues/1220
+// Outputs the running PHP major.minor version so the integration test can assert
+// that PHP 8.3 was selected, not the default 8.1.
+echo 'PHP Version: ' . PHP_MAJOR_VERSION . '.' . PHP_MINOR_VERSION;

fixtures/composer_83_version_selection/htdocs/index.php

@@ -119,9 +119,7 @@ func (e *ComposerExtension) Configure(ctx *extensions.Context) error {
 		return fmt.Errorf("failed to read PHP version from composer files: %w", err)
 	}
 	if phpVersion != "" {
-		// Also check composer.lock for package PHP constraints
-		lockConstraints := e.readPHPConstraintsFromLock()
-		selectedVersion := e.pickPHPVersion(ctx, phpVersion, lockConstraints)
+		selectedVersion := e.pickPHPVersion(ctx, phpVersion)
 		ctx.Set("PHP_VERSION", selectedVersion)
 	}
 
@@ -208,51 +206,16 @@ func (e *ComposerExtension) readVersionFromFile(path, section, key string) (stri
 	return "", nil
 }
 
-// readPHPConstraintsFromLock reads PHP constraints from all packages in composer.lock
-func (e *ComposerExtension) readPHPConstraintsFromLock() []string {
-	if e.lockPath == "" {
-		return nil
-	}
-
-	data, err := os.ReadFile(e.lockPath)
-	if err != nil {
-		return nil
-	}
-
-	var lockData struct {
-		Packages []struct {
-			Name    string                 `json:"name"`
-			Require map[string]interface{} `json:"require"`
-		} `json:"packages"`
-	}
-
-	if err := json.Unmarshal(data, &lockData); err != nil {
-		return nil
-	}
-
-	var constraints []string
-	for _, pkg := range lockData.Packages {
-		if phpConstraint, ok := pkg.Require["php"].(string); ok && phpConstraint != "" {
-			constraints = append(constraints, phpConstraint)
-		}
-	}
-
-	return constraints
-}
-
-// pickPHPVersion selects the appropriate PHP version based on requirements
-func (e *ComposerExtension) pickPHPVersion(ctx *extensions.Context, requested string, lockConstraints []string) string {
+// pickPHPVersion selects the appropriate PHP version based on the composer.json requirement.
+// Version selection is based solely on the top-level require.php in composer.json;
+// package-level PHP constraints in composer.lock are intentionally ignored (v4 semantics).
+func (e *ComposerExtension) pickPHPVersion(ctx *extensions.Context, requested string) string {
 	if requested == "" {
 		return ctx.GetString("PHP_VERSION")
 	}
 
 	fmt.Printf("-----> Composer requires PHP %s\n", requested)
 
-	// If we have composer.lock constraints, show them
-	if len(lockConstraints) > 0 {
-		fmt.Printf("       Locked dependencies have %d additional PHP constraints\n", len(lockConstraints))
-	}
-
 	// Get all available PHP versions from context
 	// Context should have ALL_PHP_VERSIONS set by supply phase
 	allVersionsStr := ctx.GetString("ALL_PHP_VERSIONS")
@@ -267,48 +230,14 @@ func (e *ComposerExtension) pickPHPVersion(ctx *extensions.Context, requested st
 		availableVersions[i] = strings.TrimSpace(availableVersions[i])
 	}
 
-	// Find the best matching version for composer.json constraint
+	// Find the best matching version for the composer.json constraint
 	selectedVersion := e.matchVersion(requested, availableVersions)
 	if selectedVersion == "" {
 		fmt.Printf("       Warning: No matching PHP version found for %s, using default\n", requested)
 		return ctx.GetString("PHP_DEFAULT")
 	}
 
-	// If we have lock constraints, ensure the selected version satisfies ALL of them
-	if len(lockConstraints) > 0 {
-		// Filter available versions to only those matching ALL constraints (composer.json + lock)
-		validVersions := []string{}
-		for _, version := range availableVersions {
-			// Check composer.json constraint
-			if !e.versionMatchesConstraint(version, requested) {
-				continue
-			}
-
-			// Check all lock constraints
-			matchesAll := true
-			for _, lockConstraint := range lockConstraints {
-				if !e.versionMatchesConstraint(version, lockConstraint) {
-					matchesAll = false
-					break
-				}
-			}
-
-			if matchesAll {
-				validVersions = append(validVersions, version)
-			}
-		}
-
-		if len(validVersions) == 0 {
-			fmt.Printf("       Warning: No PHP version satisfies all constraints, using default\n")
-			return ctx.GetString("PHP_DEFAULT")
-		}
-
-		// Find the highest valid version
-		selectedVersion = e.findHighestVersion(validVersions)
-		fmt.Printf("       Selected PHP version: %s (satisfies all %d constraints)\n", selectedVersion, len(lockConstraints)+1)
-	} else {
-		fmt.Printf("       Selected PHP version: %s\n", selectedVersion)
-	}
+	fmt.Printf("       Selected PHP version: %s\n", selectedVersion)
 
 	return selectedVersion
 }

src/php/extensions/composer/composer.go

@@ -477,155 +477,38 @@ var _ = Describe("ComposerExtension", func() {
 				Expect(phpVersion).To(Equal("8.1.32")) // PHP_DEFAULT
 			})
 		})
-	})
-
-	Describe("Configure - composer.lock Constraint Checking", func() {
-		Context("when composer.lock has package PHP constraints", func() {
-			BeforeEach(func() {
-				composerJSON := filepath.Join(buildDir, "composer.json")
-				jsonContent := `{
-					"require": {
-						"php": ">=7.4"
-					}
-				}`
-				err := os.WriteFile(composerJSON, []byte(jsonContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				composerLock := filepath.Join(buildDir, "composer.lock")
-				lockContent := `{
-					"packages": [
-						{
-							"name": "laminas/laminas-diactoros",
-							"version": "2.22.0",
-							"require": {
-								"php": "~8.0.0 || ~8.1.0 || ~8.2.0"
-							}
-						},
-						{
-							"name": "vendor/package",
-							"version": "1.0.0",
-							"require": {
-								"php": ">=8.1.0"
-							}
-						}
-					]
-				}`
-				err = os.WriteFile(composerLock, []byte(lockContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				ext.ShouldCompile(ctx)
-			})
-
-			It("should select highest version satisfying all constraints", func() {
-				err := ext.Configure(ctx)
-				Expect(err).NotTo(HaveOccurred())
-
-				phpVersion := ctx.GetString("PHP_VERSION")
-				// composer.json: >=7.4
-				// laminas: ~8.0.0 || ~8.1.0 || ~8.2.0
-				// vendor/package: >=8.1.0
-				// Should select 8.2.28 (highest matching all)
-				Expect(phpVersion).To(Equal("8.2.28"))
-			})
-		})
-
-		Context("when composer.lock constraints exclude highest version", func() {
-			BeforeEach(func() {
-				composerJSON := filepath.Join(buildDir, "composer.json")
-				jsonContent := `{
-					"require": {
-						"php": ">=8.0"
-					}
-				}`
-				err := os.WriteFile(composerJSON, []byte(jsonContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				composerLock := filepath.Join(buildDir, "composer.lock")
-				lockContent := `{
-					"packages": [
-						{
-							"name": "old-package/example",
-							"version": "1.0.0",
-							"require": {
-								"php": "<8.3.0"
-							}
-						}
-					]
-				}`
-				err = os.WriteFile(composerLock, []byte(lockContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				ext.ShouldCompile(ctx)
-			})
-
-			It("should respect lock constraint and select lower version", func() {
-				err := ext.Configure(ctx)
-				Expect(err).NotTo(HaveOccurred())
-
-				phpVersion := ctx.GetString("PHP_VERSION")
-				// composer.json: >=8.0
-				// old-package: <8.3.0
-				// Should select 8.2.28 (not 8.3.x)
-				Expect(phpVersion).To(Equal("8.2.28"))
-			})
-		})
-
-		Context("when no version satisfies all lock constraints", func() {
-			BeforeEach(func() {
-				composerJSON := filepath.Join(buildDir, "composer.json")
-				jsonContent := `{
-					"require": {
-						"php": ">=8.3.0"
-					}
-				}`
-				err := os.WriteFile(composerJSON, []byte(jsonContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				composerLock := filepath.Join(buildDir, "composer.lock")
-				lockContent := `{
-					"packages": [
-						{
-							"name": "impossible/package",
-							"version": "1.0.0",
-							"require": {
-								"php": "<8.0.0"
-							}
-						}
-					]
-				}`
-				err = os.WriteFile(composerLock, []byte(lockContent), 0644)
-				Expect(err).NotTo(HaveOccurred())
-
-				ext.ShouldCompile(ctx)
-			})
-
-			It("should fall back to default PHP version", func() {
-				err := ext.Configure(ctx)
-				Expect(err).NotTo(HaveOccurred())
 
-				phpVersion := ctx.GetString("PHP_VERSION")
-				Expect(phpVersion).To(Equal("8.1.32")) // PHP_DEFAULT
-			})
-		})
-
-		Context("when composer.lock has no package PHP constraints", func() {
+		// Regression test for https://github.com/cloudfoundry/php-buildpack/issues/1220
+		// composer.json requires ^8.3, but composer.lock packages carry stale upper-bound
+		// constraints (e.g. <8.3.0) written before PHP 8.3 was released. The buildpack must
+		// not re-evaluate those package-level constraints — Composer already resolved them
+		// when it wrote the lock file. Only the top-level require.php in composer.json matters.
+		Context("when composer.json requires ^8.3 and composer.lock has packages with stale <8.3.0 constraints (issue #1220)", func() {
 			BeforeEach(func() {
 				composerJSON := filepath.Join(buildDir, "composer.json")
 				jsonContent := `{
 					"require": {
-						"php": ">=8.2.0"
+						"php": "^8.3"
 					}
 				}`
 				err := os.WriteFile(composerJSON, []byte(jsonContent), 0644)
 				Expect(err).NotTo(HaveOccurred())
 
+				// Simulate a real-world lock file: 84 packages, many with conservative
+				// upper-bound PHP constraints written before PHP 8.3 was released.
 				composerLock := filepath.Join(buildDir, "composer.lock")
 				lockContent := `{
 					"packages": [
-						{
-							"name": "simple/package",
-							"version": "1.0.0"
-						}
+						{"name": "pkg/a", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}},
+						{"name": "pkg/b", "version": "2.0.0", "require": {"php": ">=7.4 <8.3.0"}},
+						{"name": "pkg/c", "version": "3.0.0", "require": {"php": ">=8.0 <8.3.0"}},
+						{"name": "pkg/d", "version": "1.5.0", "require": {"php": "^7.2 || ^8.0"}},
+						{"name": "pkg/e", "version": "1.0.0", "require": {"php": ">=8.1"}},
+						{"name": "pkg/f", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}},
+						{"name": "pkg/g", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}},
+						{"name": "pkg/h", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}},
+						{"name": "pkg/i", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}},
+						{"name": "pkg/j", "version": "1.0.0", "require": {"php": ">=7.2.5 <8.3.0"}}
 					]
 				}`
 				err = os.WriteFile(composerLock, []byte(lockContent), 0644)
@@ -634,12 +517,14 @@ var _ = Describe("ComposerExtension", func() {
 				ext.ShouldCompile(ctx)
 			})
 
-			It("should use only composer.json constraint", func() {
+			It("should select 8.3.x, ignoring stale package constraints in composer.lock", func() {
 				err := ext.Configure(ctx)
 				Expect(err).NotTo(HaveOccurred())
 
 				phpVersion := ctx.GetString("PHP_VERSION")
-				Expect(phpVersion).To(Equal("8.3.21")) // Highest matching >=8.2.0
+				// Must NOT fall back to default 8.1.32 — that is the regression.
+				// Must select the highest 8.3.x version available.
+				Expect(phpVersion).To(Equal("8.3.21"))
 			})
 		})
 	})

src/php/extensions/composer/composer_test.go

@@ -94,6 +94,29 @@ func testComposer(platform switchblade.Platform, fixtures string) func(*testing.
 			})
 		})
 
+		// Regression test for https://github.com/cloudfoundry/php-buildpack/issues/1220
+		// In v5, pickPHPVersion incorrectly re-evaluated package-level PHP constraints from
+		// composer.lock (e.g. "<8.3.0") and fell back to the default PHP version even when
+		// composer.json explicitly required "^8.3". The fix restores v4 semantics: only the
+		// top-level require.php in composer.json is used for version selection.
+		context("composer.json requires ^8.3 with stale <8.3.0 package constraints in composer.lock", func() {
+			it("selects PHP 8.3, ignoring stale package constraints in composer.lock (issue #1220)", func() {
+				deployment, logs, err := platform.Deploy.
+					Execute(name, filepath.Join(fixtures, "composer_83_version_selection"))
+				Expect(err).NotTo(HaveOccurred(), logs.String)
+
+				// Build log must show the composer.json constraint was read
+				Expect(logs.String()).To(ContainSubstring("Composer requires PHP ^8.3"))
+
+				// Build log must show PHP 8.3.x was installed — not the 8.1.x default
+				Expect(logs.String()).To(MatchRegexp(`Installing PHP 8\.3\.\d+`))
+				Expect(logs.String()).NotTo(MatchRegexp(`Installing PHP 8\.1\.\d+`))
+
+				// The running app must confirm it is executing on PHP 8.3
+				Eventually(deployment).Should(Serve(MatchRegexp(`PHP Version: 8\.3`)))
+			})
+		})
+
 		if !settings.Cached {
 			context("deployed with invalid COMPOSER_GITHUB_OAUTH_TOKEN", func() {
 				it("logs warning", func() {