Closed trickeydan closed 6 years ago
malle-pietje
commented
6 years ago Thanks, I know and am fully aware of this being bad practice. I'll reconsider adding this to the ignore file, again. The thing is I do not want composer to be a pre-requisite since many users of the API browser have no idea what composer is or how to install it.
malle-pietje
commented
6 years ago On another note, I don't agree that leaving them out will prevent "people run outdated or insecure libraries". Once they have installed composer without having a clue what it is and how powerful it is, they can still easily shoot themselves in the foot.
trickeydan
commented
6 years ago By including a copy of the libraries, it is inherently a security risk as there may be a flaw in those libraries. As the user isn't using composer, the libraries will not be updated.
malle-pietje
commented
6 years ago If this is regarding moving responsibilities to the end-user, I can understand your PR. I have however decided to approach this in a different manner.
These files do not need to be included as composer will install them. It is bad practice to include them as it duplicates code and could potentially let people run outdated or insecure libraries!