I suspect this is going to break the Joomla console package. similar to how my version of this a while back did? #26820

We can probably selectively update other parts whilst I try and get a plan around the console package though

@wilsonge , I removed the update for the console package.

See #27997 - Everything but the application and two OAuth packages are safe to update.

(Also, if you take out an update by manually editing the composer.lock, you need to run composer update --lock otherwise you are going to cause everyone to get warnings about the lock file hash being incorrect)

@mbabker , if we update the console package, we still get this error:

I suggest not updating the joomla console package until @wilsonge finds a solution. This will be the subject of another PR.

Bah, forgot that change.

Either way, you’re still introducing the Composer lock file hash error as the content-hash property isn’t updated here.

@mbabker , when I run composer update --lock, the composer.lock file is always the same. I may have forgotten something.

Something is definitely wrong though because it should be impossible to have run composer update and not change the hash, yet if you look at the diff for this PR the hash is unchanged. That’s a red flag.

This will update all Composer files to the latest versions as allowed in the composer.json file, except for the application, oauth1, oauth2, and console package.