Removes unnecessary polyfill packages to be installed.

[hostep]

Description (*)

A default Magento installation comes with a bunch of composer packages that provide polyfills for PHP functionality that's not always guaranteed to be installed in various ecosystems.
However, after some analysation, it turns out Magento does have a bunch of guarantees of certain software to be available, so we don't need all these polyfills, most of these come from dependencies outside of Magento's ecosystem and needing to support a wide variety of projects.

• paragonie/random_compat (brought in via phpseclib/phpseclib) is not needed as the 2 functions (random_int & random_bytes) were added in PHP 7.0 and higher, Magento requires PHP 8.3 at minimum. Phpseclib still supports PHP 5.6, so that's why it gets pulled in (this will change with phpseclib v4 in the future BTW)
• ralouphie/getallheaders (brought in via guzzlehttp/psr7) is not needed as guzzlehttp needs it because it still supports PHP 7.2 and the getallheaders function was only made available in the FPM SAPI since PHP 7.3 and since Magento requires PHP 8.3 at the minimum, it's guaranteed to be available
• symfony/polyfill-ctype (brought in through various symfony packages) is not needed as Magento requires ext-ctype to be installed
• symfony/polyfill-intl-grapheme, symfony/polyfill-intl-idn & symfony/polyfill-intl-normalizer (brought in through various packages) is not needed as Magento requires ext-intl to be installed
• symfony/polyfill-mbstring (brought in through various packages) is not needed as Magento requires ext-mbstring to be installed
• symfony/polyfill-php73 => symfony/polyfill-php83, Magento requires PHP 8.3 at the minimum at time of writing, so no need to install polyfills for this minimum version and all versions below it. We still want to install polyfill packages for higher versions that Magento also supports, in case a dependency is installable on PHP 8.3 but uses some PHP 8.4/8.5 function that's provided by this polyfill

Removing unnecessary packages leads to:

• fewer code in the codebase of a Magento project, faster installs, less disk space needed
• at runtime, not needing to check if a certain function exists and then skip loading the code from polyfill package (so potential small perf benefit, see this thread)
• fewer potential security issues (recent example)
• ...

Related Pull Requests

1. N/A

Fixed Issues (if relevant)

1. N/A

Manual testing scenarios (*)

1. Run composer update && composer show | grep polyfill and only expect to see polyfill packages for functionality not guaranteed to be available on a server where you install Magento, like phpseclib/mcrypt_compat or symfony/polyfill-deepclone, but no others

Questions or comments

I've added symfony/polyfill-php74 & symfony/polyfill-php83 even though Magento's dependencies don't pull them in, but that doesn't mean this will change in the future, by an update of one of the dependencies, or by some 3rd party module or something along those lines. Makes sense? Should I also include symfony/polyfill-php72 and lower, just to be sure?

I'm not sure how this change will be guaranteed to affect real composer installations of Magento. Will those replace lines be part of the composer.json from the meta package magento/project-community-edition, or rather from magento/product-community-edition, magento/magento2-base or magento/framework, or from something else?

I applied the same replacements in magento/framework at the moment, but this may not be the best decision?
It would be good if somebody from Adobe with knowledge about how composer packages are build and distributed will pick this up and how to implement this in the best way.

This will also require some maintenance in the future, so if we drop support for PHP 8.3 and make PHP 8.4 the minimum required version, we should also append symfony/polyfill-php84 to the list. So this will need to be documented somewhere that Adobe maintainers that perform PHP upgrades are aware of and should check.

Is the approach taken in Magento/Test/Integrity/ComposerTest.php the correct one?

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

Resolved issues:

1. resolves [Issue] Removes unnecessary polyfill packages to be installed. #40865: Removes unnecessary polyfill packages to be installed.

[m2-assistant]

Hi @hostep. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[hostep]

@magento run all tests

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[hostep]

@magento run Static Tests

[hostep]

@magento run all tests

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[engcom-Hotel]

@magento create issue

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.