Can only install one of: guzzlehttp/guzzle

clarkwinkelmann

An issue has recently been arising with new Flarum installations and I want to give some guidance in how to solve it.

Identifying the issue

You might get an "Installation failed" from Composer when trying to install a new extension. The output of Composer will show some kind of conflict message which will include things like:

composer require fof/uploadUsing version ^0.10.0 for fof/upload
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for fof/upload ^0.10.0 -> satisfiable by fof/upload[0.10.0].
    - Conclusion: remove guzzlehttp/guzzle 7.0.1
    - Conclusion: don't install guzzlehttp/guzzle 7.0.1
    - fof/upload 0.10.0 requires guzzlehttp/guzzle ^6.0 -> satisfiable by guzzlehttp/guzzle[6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5].
    - Can only install one of: guzzlehttp/guzzle[6.0.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.0.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.0.2, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.1.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.1.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.2.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.2.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.2.2, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.2.3, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.3.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.3.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.3.2, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.3.3, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.4.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.4.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.0, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.1, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.2, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.3, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.4, 7.0.1].
    - Can only install one of: guzzlehttp/guzzle[6.5.5, 7.0.1].
    - Installation request for guzzlehttp/guzzle (locked at 7.0.1) -> satisfiable by guzzlehttp/guzzle[7.0.1].


Installation failed, reverting ./composer.json to its original content.

The cause

Composer lets each extension request the dependencies and dependencies versions of their choice. Not all extensions require the same dependency versions, and this can lead to conflicts.

In this case the conflict is actually solvable, but Composer is unable to solve it by itself.

The problem is that league/oauth2-client works with either Guzzle ^6.0 or ^7.0, while most other extensions work with only Guzzle ^6.0.

If league/oauth2-client is installed first, Composer will install version 7.0 of Guzzle. If you then try to install extensions that need Guzzle 6.0, Composer will not accept to downgrade the major version of an already-installed dependency.

league/oauth2-client is installed as a dependency of the Facebook/GitHub login extensions, and probably other community extensions that provide login.

I think the issue does not affect everyone because there's usually one other extension installed by default that requires Guzzle 6 only. It's the Twitter login extension which relies on league/oauth1-client which only works with Guzzle 6. So I believe everyone having this issue must have removed the Twitter login extension at some point, and then ran a global Composer update. Flarum core does not require Guzzle by the way.

It only started happening recently because the oauth2 client started allowing Guzzle since version 2.5.0 which was released on July 18 2020. Older Flarum installs which have not updated their extension's dependencies for a while still use version 2.4.* which doesn't create this conflict.

This issue can be found on Composer's issue tracker here and here. It sounds like it has been kind of solved in Composer v2, but I have not tested v2 yet.

The solution

Composer has optional command flags (like --update-with-dependencies) to allow dependency updates but in Composer v1, this doesn't seem to allow major version downgrades. So here's the workaround:

Step 1: Install Guzzle ^6.0 as a direct dependency, this forces Composer to downgrade from major version 7 to 6:

composer require guzzlehttp/guzzle:^6.0

Composer will show something like "Downgrading guzzlehttp/guzzle (7.0.1 => 6.5.5)".

Step 2: Install the new package that couldn't be installed in the first place by following the instructions from the extension's discussion. For example for FoF Upload:

composer require fof/upload

Step 3: Remove the direct Guzzle dependency. This avoids potential other issues in the future:

composer remove guzzlehttp/guzzle

Composer will say "Nothing to install or update". That's expected. This will just remove the line about Guzzle from composer.json. You could also manually remove that line but running the command ensures you don't break the formatting of composer.json.

cmwetherell

Clark - thank you!

Indeed, I enabled the Twitter extension almost immediately after getting my Flarum install set up, then promptly turned it off because I was unsure what to put in the settings boxes. It is still off, and I was running into this issue.

Cheers.

phking

thank you!

cmwetherell

I just did a fresh install for a new site, and I ran into the same error trying to install Upload. It's an easy fix. But this time I didn't ever enable the Twitter extension. So maybe this is just a general issue now?

luceos

cmwetherell an extension that is installed but not enabled is still taken into account for dependencies with composer. If you don't use an extension it's best to delete it entirely (composer remove flarum/auth-twitter).

clarkwinkelmann

I think that the League Oauth1 (and by extension, the Twitter extension) now also has a requirement of ^6.0||^7.0, so this issue might happen to every new Flarum install now.

There's no definitive solution. Flarum could explicitly require version ^6.0, but as Flarum doesn't need the dependency itself, that would only create limitations for extensions that legitimately depend on or could benefit from ^7.0.

The best solution at this point is probably for extensions to check compatibility with Guzzle 7.0 and then update their requirement to ^6.0||^7.0 like the League OAuth packages. That way most extensions will use Guzzle 7.0 but the instructions in this topic can still be used for extensions that only support Guzzle 6.0

josiahking

@clarkwinkelmann @luceos This problem still occurs with installing fof/upload, is there a patch to this issue or we should follow the temp solution
outlined above?

clarkwinkelmann

josiahking yes, we're aware the issue persists. It will persist for all users of Composers V1 until all extensions are compatible with Guzzle 7.

On Composer V2, the issue shouldn't appear because Composer V2 can automatically calculate the correct dependencies to install.

The above is not a temporary solution, it's the real solution. It's just that Composer V1 is unable to make the calculation to install the correct dependency versions. We, as forum administrators, have to force Composer to see the truth by using those commands 🙉

josiahking

clarkwinkelmann Ok thanks I will follow the solution.

DursunCan

Is there a problem this way?

# composer remove guzzlehttp/guzzle
./composer.json has been updated
Running composer update guzzlehttp/guzzle
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
77 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Removal failed, guzzlehttp/guzzle is still present, it may be required by another package. See `composer why guzzlehttp/guzzle`.

# composer why guzzlehttp/guzzle
fof/geoip             0.2.0   requires  guzzlehttp/guzzle (6.*)           
fof/stopforumspam     0.3.1   requires  guzzlehttp/guzzle (6.*)           
league/oauth1-client  v1.8.2  requires  guzzlehttp/guzzle (^6.0|^7.0)     
league/oauth2-client  2.6.0   requires  guzzlehttp/guzzle (^6.0 || ^7.0)

clarkwinkelmann

DursunCan the output looks good. There's only that last line "Removal failed" that I didn't encounter before.

Are you using Composer v2? (you can check with composer --version).

The goal of that last command is to remove the line from composer.json. Based on the output, the line was already not present. Not sure how that's possible, since the previous command should have added it. You can check in composer.json. If the forum works fine and you don't see guzzlehttp/guzzle in composer.json, everything worked as expected.

DursunCan

clarkwinkelmann 👍

# composer -V
Composer version 2.0.4 2020-10-30 22:39:11

# cat composer.json 
{
    "name": "flarum/flarum",
    "description": "Delightfully simple forum software.",
    "type": "project",
    "keywords": [
        "forum",
        "discussion"
    ],
    "homepage": "https://flarum.org/",
    "license": "MIT",
    "authors": [
        {
            "name": "Franz Liedke",
            "email": "franz@develophp.org"
        },
        {
            "name": "Daniel Klabbers",
            "email": "daniel@klabbers.email",
            "homepage": "https://luceos.com"
        },
        {
            "name": "David Sevilla Martin",
            "email": "me+flarum@datitisev.me",
            "homepage": "https://datitisev.me"
        },
        {
            "name": "Clark Winkelmann",
            "email": "clark.winkelmann@gmail.com",
            "homepage": "https://clarkwinkelmann.com"
        },
        {
            "name": "Matthew Kilgore",
            "email": "matthew@kilgore.dev"
        },
        {
            "name": "Alexander (Sasha) Skvortsov",
            "email": "askvortsov@flarum.org"
        }
    ],
    "support": {
        "issues": "https://github.com/flarum/core/issues",
        "source": "https://github.com/flarum/flarum",
        "docs": "https://flarum.org/docs/"
    },
    "require": {
        "askvortsov/flarum-moderator-warnings": "^0.3.0",
        "flarum/approval": "^0.1.0",
        "flarum/bbcode": "^0.1.0",
        "flarum/core": "^0.1.0",
        "flarum/emoji": "^0.1.0",
        "flarum/flags": "^0.1.0",
        "flarum/lang-english": "^0.1.0",
        "flarum/likes": "^0.1.0",
        "flarum/lock": "^0.1.0",
        "flarum/markdown": "^0.1.0",
        "flarum/mentions": "^0.1.0",
        "flarum/pusher": "^0.1.0",
        "flarum/statistics": "^0.1.0",
        "flarum/sticky": "^0.1.0",
        "flarum/subscriptions": "^0.1.0",
        "flarum/suspend": "^0.1.0",
        "flarum/tags": "^0.1.0",
        "fof/ban-ips": "^0.3.0",
        "fof/best-answer": "^0.2.0",
        "fof/drafts": "^0.2.0",
        "fof/follow-tags": "^0.5.0",
        "fof/formatting": "^0.2.0",
        "fof/forum-statistics-widget": "^0.3.0",
        "fof/geoip": "^0.2.0",
        "fof/linguist": "^0.4.4",
        "fof/links": "^0.4.0",
        "fof/merge-discussions": "^0.4.0",
        "fof/nightmode": "^0.6.0",
        "fof/oauth": "^0.1.0",
        "fof/pages": "^0.5.0",
        "fof/profile-image-crop": "^0.2.0",
        "fof/reactions": "^0.4.2",
        "fof/recaptcha": "^0.2.0",
        "fof/share-social": "^0.2.0",
        "fof/spamblock": "^0.3.0",
        "fof/split": "*",
        "fof/stopforumspam": "^0.3.1",
        "fof/terms": "^0.5.0",
        "fof/user-bio": "^0.3.1",
        "matteocontrini/flarum-imgur-upload": "^3.4",
        "nearata/flarum-ext-copy-code-to-clipboard": "^1.1",
        "nearata/flarum-ext-signup-confirm-password": "^2.1",
        "tolgaaaltas/flarum-ext-turkish": "^0.14.0",
        "tolgaaaltas/flarum-lang-turkish": "^0.14.0",
        "v17development/flarum-seo": "^1.4"
    },
    "config": {
        "preferred-install": "dist",
        "sort-packages": true
    },
    "minimum-stability": "beta",
    "prefer-stable": true
}

clarkwinkelmann

DursunCan everything is looking good.

I think you can disregard the composer message.