Fix Composer 404 on minified metadata and add debug logging#178
Open
philippdieter wants to merge 1 commit into
Open
Fix Composer 404 on minified metadata and add debug logging#178philippdieter wants to merge 1 commit into
philippdieter wants to merge 1 commit into
Conversation
- Expand minified Composer v2 metadata in findDownloadURLFromMetadata so versions that inherit dist from a previous entry resolve correctly - Add Debug()-level log statements in the download resolution path (handleDownload, findDownloadURLFromMetadata) so -log-level debug produces meaningful output
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two issues are fixed in
internal/handler/composer.go:minified metadata, so versions that inherit their
distfield from aprevious entry appeared to have no download URL and returned 404.
-log-level debug— The download/metadata code pathcontained zero
Debug()-level log statements, so the log output was identicalat
infoanddebuglevels.Problem 1: 404 on package download
Symptoms
composer require neos/error-messages 8.3.19fails with:Other packages download fine. The metadata endpoint (
/composer/p2/...) workscorrectly and returns the expected rewritten dist URL to Composer.
Root cause
Packagist serves package metadata in minified Composer v2 format
(
"minified": "composer/2.0"). In this format, each version entry onlycontains fields that differ from the previous entry; omitted fields are
inherited. For example, version
8.3.19ofneos/error-messageshas this rawentry in the upstream metadata:
{ "version": "8.3.19", "version_normalized": "8.3.19.0", "support": { "source": "https://github.com/neos/error-messages/tree/8.4.3" } }No
distfield — it inheritsdistfrom an earlier entry in the chain.The codebase has two code paths that consume this metadata:
handlePackageMetadata→rewriteMetadata→expandMinifiedVersionshandleDownload→findDownloadURLFromMetadata→findDownloadURLBecause
findDownloadURLFromMetadatadid not expand minified metadata, itcalled
findDownloadURL, which checksvmap["dist"]directly. For version8.3.19 that field was nil, so the lookup returned an empty string and
handleDownloadreturned 404 at line 334.Why other packages work
Packages whose metadata is not minified, or where every version entry happens
to include its own
distfield, are unaffected. The bug only surfaces forpackages where the specific requested version inherits
distfrom a previousentry in the minified chain.
Fix
In
findDownloadURLFromMetadata, after decoding the upstream metadata JSON,check for
"minified": "composer/2.0"and call the existingexpandMinifiedVersions()on each package's version list before passing themetadata to
findDownloadURL. This reuses the same expansion logic thatrewriteMetadataalready used correctly.Problem 2: No debug output with
-log-level debugSymptoms
Running the proxy with
-log-level debugproduces the same output as-log-level info. No debug-level lines appear.Root cause
The logger was correctly configured at
slog.LevelDebug— the flag parsing andsetupLogger/parseLogLevelfunctions work correctly. The problem was thatthe download and metadata resolution code path contained no
Debug()-levellog statements at all. All logging in the critical path used
Info()orError():composer.gohandleDownloadInfo"composer download request"composer.gohandlePackageMetadataInfo"composer metadata request"composer.gohandleDownloadError"failed to fetch metadata"middleware.goLoggerMiddlewareInfo"request"(every HTTP request)The only
Debug()calls in the codebase were inproxyUpstream(search/listendpoints) and
ProxyUpstream— neither hit during a package download.Fix
Added
Debug()-level log statements throughout the download resolution path:handleDownload: logs the metadata URLs being tried and the finalresolved download URL (or "not found" if all sources were exhausted).
findDownloadURLFromMetadata: logs the upstream metadata URL beingfetched, the HTTP response status code, whether minified expansion was
applied, and the resulting download URL (or empty string).
Example debug output after the fix:
Files changed
internal/handler/composer.goVerification
go build -o proxy ./cmd/proxy./proxy -listen 0.0.0.0:9898 -base-url http://localhost:9898 -log-level debugcomposer require neos/error-messages 8.3.19against the proxy —previously returned 404, now downloads and installs successfully (HTTP 200).
Authorship disclosure
This problem diagnosis and code fix were produced with the assistance of an
AI assistant (opencode / glm-5.1). The changes were verified by running the
existing test suite (
go test ./...— 700 passed) and by reproducing theoriginal failure and confirming the fix end-to-end with
composer require.