Replace should not be merged with require section

[JeroenBoersma]

Because of the hardening in latest version of composer (a good thing) invalid packages cannot be installed anymore.

The problem

This morning I tried to setup a clean Magento based on the mage-os mirror (my default) and it failed.

  Problem 1
    - Root composer.json requires magento/product-community-edition 2.4.8-p3 -> satisfiable by magento/product-community-edition[2.4.8-p3].
    - magento/product-community-edition 2.4.8-p3 requires components/jquery 1.11.0 -> found components/jquery[1.11.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-jvpv-pcrn-dfzc", "PKSA-jqsz-ykjr-qncb") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

My question, why does Magento require components/jquery:1.11.0 ?

I opened the original composer.json to see why it was required. It wasn't, hmm, that's weird.

Research and solution

So, next, try to install from repo.magento.com to see if I can reproduce the bug with upstream, and it installed without any hassle.

Which lead in the research of the generator, because why did we do we have a different version from the original.

Locally disabled and build the project and after that I could install Magento like before.
It now is 100% the same with repo.magento.com again (except the source of coarse) 🙌

Affected version

• all current builds as stated in the readme.md

[JeroenBoersma]

Original introduction reference

generate-mirror-repo-js/src/package-modules.js

Line 183 in a04bf6d

require: Object.assign({'magento/magento2-base': ref}, taggedComposerConfig.require, taggedComposerConfig.replace)

[rhoerr]

Thanks for the PR!

I'll give this a look when time allows. I think there was a build-related reason for that (possibly for Mage-OS releases), but I can't recall the exact circumstances offhand. Either way, you're definitely right, packages shouldn't be moved from replace to require for mirror releases.

A couple side notes:

• Feat: Add support for additional metapackages (closes #238) #271 refactors the code involved here. But it kept the replace -> require logic, so doesn't fix this issue.
• chore: Remove outdated replace and extra definitions from composer files mageos-magento2#181 fixes the composer audit error -- but only for Mage-OS, starting with our next release. That won't help the mirror though, so also doesn't fix this issue.