Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency patch resolution #547

Merged
merged 7 commits into from
Feb 14, 2024
Merged

Dependency patch resolution #547

merged 7 commits into from
Feb 14, 2024

Conversation

cweagans
Copy link
Owner

@cweagans cweagans commented Feb 13, 2024
edited
Loading

Description

Related tasks

  • Documentation has been updated if applicable
  • Tests have been added
  • Does not break backwards compatibility OR a BC break has been discussed in the related issue(s).

Other notes

@cweagans cweagans mentioned this pull request Feb 13, 2024
Closed
4 tasks
@coveralls
Copy link

coveralls commented Feb 13, 2024
edited
Loading

Pull Request Test Coverage Report for Build 7896163425

Details

  • -5 of 37 (86.49%) changed or added relevant lines in 8 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.8%) to 89.508%
Changes Missing Coverage Covered Lines Changed/Added Lines %
src/Downloader.php 2 3 66.67%
src/Resolver/Dependencies.php 13 17 76.47%
Totals Coverage Status
Change from base Build 7866467296: 0.8%
Covered Lines: 546
Relevant Lines: 610
💛 - Coveralls

@cweagans cweagans merged commit ac38366 into main Feb 14, 2024
5 checks passed
@cweagans cweagans deleted the dependency-patches branch February 14, 2024 03:42
@RobinHoutevelts RobinHoutevelts mentioned this pull request Feb 16, 2024
Open
@davidwindell
Copy link

Thank you so much for this, it's working great!

@mbrodala
Copy link
Contributor

How is this different from the support removed with #267 in beta1? Especially that dependency patches are applied by default doesn't seem to have changed. Which would still be a security issue.

So unless I'm missing something: please make applying patches from dependencies an explicit opt in. Always, no matter if there is an own patches section. If not enabled a notice for each "missed" patch could raise attention.

@garvinhicking
Copy link

+1 (I agree with @mbrodala and just learned today of this hidden feature, wasn't aware of it. I really feel this is dangerous as an opt-out and needs to be opt-in, but haven't further investigated this)

@mbrodala
Copy link
Contributor

In the meantime I was pointed at the disable-resolvers option added here: #212 (docs)

For the reasons mentioned above this option should default to ["\\cweagans\\Composer\\Resolver\\Dependencies"] instead of [], thus disable dependency patching by default. But honestly, this is no good pattern either:

  1. Enabling dependency patching requires you to explicitly use "disable-resolvers": [] which is completely ambiguous.
  2. If you want to disable e.g. the patches.json you are likely to use "disable-resolvers": ["\\cweagans\\Composer\\Resolver\\PatchesFile"]; you now unintentionally allowed dependency patches

So IMO instead of having a list of resolvers to disable, this should be a list of plain toplevel options instead:

    "extra": {
        "composer-patches": {
            "enable_root_patches": true,
            "enable_root_patches_file": true,
            "enable_dependency_patches": false,
        }
    }

(Yes, these would be the sane defaults.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cweagans @coveralls @davidwindell @mbrodala @garvinhicking