Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore development-only packages in security check #229

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Ignore development-only packages in security check #229

wants to merge 2 commits into from

Conversation

fredden
Copy link
Member

@fredden fredden commented Nov 27, 2024

Proposed Changes

Only perform security check on actual dependencies / ignore development-only dependencies for this check.

Related Issues

#228 (comment)

@fredden fredden mentioned this pull request Nov 27, 2024
Open
jrfnl
jrfnl previously approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me. Thanks @fredden!

@jrfnl jrfnl added this to the 1.x Next Release milestone Nov 27, 2024
@jrfnl
Copy link
Member

jrfnl commented Nov 27, 2024

🤔 Hmm... based on the build on your fork, this doesn't solve it for PHP 5.4...? Composer still creates the lock file, even if the packages aren't being installed and the lock file is what's used by the Security check...

@fredden
Copy link
Member Author

fredden commented Nov 27, 2024

🤔 Hmm... based on the build on your fork, this doesn't solve it for PHP 5.4...? Composer still creates the lock file, even if the packages aren't being installed and the lock file is what's used by the Security check...

I've updated the check command to use the actually-installed packages instead.

@fredden fredden requested a review from jrfnl November 27, 2024 13:33
jrfnl
jrfnl approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. Looks like checking the installed.json file is an undocumented option.

Also noticed that the Local security checker package is now deprecated in favour of the composer audit command.

We should probably update this workflow to use that once support for PHP < 7.2 has been dropped (issue #221).

@fredden
Copy link
Member Author

fredden commented Nov 28, 2024

It turns out that this checker tool also has a --no-dev flag which could have been used here. If you would prefer that method, let me know and I will update this pull request accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfnl jrfnl jrfnl approved these changes

Assignees
No one assigned
Labels
builds / deploys / releases
Projects
None yet
Milestone
1.x Next Release
Development

Successfully merging this pull request may close these issues.
2 participants
@fredden @jrfnl