search

Lullabot / drainpipe

GNU General Public License v3.0
33 stars 14 forks source link

Dependencies Not Installed #117

Closed larsdesigns closed 1 year ago

larsdesigns commented 2 years ago

I have noticed that with Drainpipe version 2, I install dependencies such as phpcs, squizlabs/php_codesniffer, and drutiny/local-php-security-checker manually using composer.

Should the dependencies be installed/required when drainpipe and drainpipe-dev are installed?

justafish commented 2 years ago

@larsdesigns those dependencies are installed with drainpipe-dev, can you provide a reproduce-able set of steps to replicate your issue please? https://github.com/Lullabot/drainpipe-dev/blob/main/composer.json

larsdesigns commented 2 years ago

When I execute the command ddev composer require drainpipe-dev, the dependencies are not installed.

justafish commented 2 years ago

@larsdesigns could you provide a reproduceable set of steps starting from an empty directory please? For example, following the instructions in the README I get this:

~/repos 
❯ composer create-project drupal/recommended-project test-drainpipe
Creating a "drupal/recommended-project" project at "./test-drainpipe"
Info from https://repo.packagist.org: #StandWithUkraine
Installing drupal/recommended-project (9.4.5)
  - Installing drupal/recommended-project (9.4.5): Extracting archive
Created project in /home/justafish/repos/test-drainpipe
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Package operations: 62 installs, 0 updates, 0 removals
  - Installing composer/installers (v1.12.0): Extracting archive
  - Installing drupal/core-composer-scaffold (9.4.5): Extracting archive
  - Installing drupal/core-project-message (9.4.5): Extracting archive
  - Installing typo3/phar-stream-wrapper (v3.1.7): Extracting archive
  - Installing symfony/polyfill-php72 (v1.26.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.25.0): Extracting archive
  - Installing symfony/polyfill-ctype (v1.25.0): Extracting archive
  - Installing twig/twig (v2.15.1): Extracting archive
  - Installing symfony/yaml (v4.4.44): Extracting archive
  - Installing symfony/polyfill-php80 (v1.25.0): Extracting archive
  - Installing symfony/var-dumper (v5.4.11): Extracting archive
  - Installing symfony/translation-contracts (v2.5.2): Extracting archive
  - Installing symfony/validator (v4.4.44): Extracting archive
  - Installing symfony/translation (v4.4.44): Extracting archive
  - Installing symfony/deprecation-contracts (v2.5.2): Extracting archive
  - Installing psr/container (1.1.1): Extracting archive
  - Installing symfony/service-contracts (v2.5.2): Extracting archive
  - Installing symfony/serializer (v4.4.44): Extracting archive
  - Installing symfony/routing (v4.4.44): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.25.0): Extracting archive
  - Installing symfony/polyfill-intl-idn (v1.25.0): Extracting archive
  - Installing symfony/mime (v5.4.11): Extracting archive
  - Installing symfony/http-foundation (v4.4.44): Extracting archive
  - Installing psr/http-message (1.0.1): Extracting archive
  - Installing symfony/psr-http-message-bridge (v2.1.2): Extracting archive
  - Installing symfony/process (v4.4.44): Extracting archive
  - Installing symfony/polyfill-iconv (v1.25.0): Extracting archive
  - Installing symfony/polyfill-php73 (v1.26.0): Extracting archive
  - Installing symfony/http-client-contracts (v2.5.2): Extracting archive
  - Installing symfony/event-dispatcher-contracts (v1.1.13): Extracting archive
  - Installing symfony/event-dispatcher (v4.4.44): Extracting archive
  - Installing psr/log (1.1.4): Extracting archive
  - Installing symfony/debug (v4.4.44): Extracting archive
  - Installing symfony/error-handler (v4.4.44): Extracting archive
  - Installing symfony/http-kernel (v4.4.44): Extracting archive
  - Installing symfony/dependency-injection (v4.4.44): Extracting archive
  - Installing symfony/console (v4.4.44): Extracting archive
  - Installing symfony-cmf/routing (2.3.4): Extracting archive
  - Installing stack/builder (v1.0.6): Extracting archive
  - Installing ralouphie/getallheaders (3.0.3): Extracting archive
  - Installing psr/http-factory (1.0.1): Extracting archive
  - Installing psr/cache (1.0.1): Extracting archive
  - Installing pear/pear_exception (v1.0.2): Extracting archive
  - Installing pear/console_getopt (v1.4.3): Extracting archive
  - Installing pear/pear-core-minimal (v1.10.11): Extracting archive
  - Installing pear/archive_tar (1.4.14): Extracting archive
  - Installing masterminds/html5 (2.7.5): Extracting archive
  - Installing laminas/laminas-stdlib (3.7.1): Extracting archive
  - Installing laminas/laminas-escaper (2.9.0): Extracting archive
  - Installing laminas/laminas-feed (2.17.0): Extracting archive
  - Installing laminas/laminas-diactoros (2.11.3): Extracting archive
  - Installing guzzlehttp/psr7 (1.9.0): Extracting archive
  - Installing guzzlehttp/promises (1.5.1): Extracting archive
  - Installing guzzlehttp/guzzle (6.5.8): Extracting archive
  - Installing doctrine/lexer (1.2.3): Extracting archive
  - Installing egulias/email-validator (3.2.1): Extracting archive
  - Installing doctrine/annotations (1.13.3): Extracting archive
  - Installing doctrine/reflection (1.2.3): Extracting archive
  - Installing composer/semver (3.3.2): Extracting archive
  - Installing asm89/stack-cors (1.3.0): Extracting archive
  - Installing drupal/core (9.4.5): Extracting archive
  - Installing drupal/core-recommended (9.4.5)
Package doctrine/reflection is abandoned, you should avoid using it. Use roave/better-reflection instead.
Package symfony/debug is abandoned, you should avoid using it. Use symfony/error-handler instead.
Generating autoload files
42 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Scaffolding files for drupal/core:
  - Copy [project-root]/.editorconfig from assets/scaffold/files/editorconfig
  - Copy [project-root]/.gitattributes from assets/scaffold/files/gitattributes
  - Copy [web-root]/.csslintrc from assets/scaffold/files/csslintrc
  - Copy [web-root]/.eslintignore from assets/scaffold/files/eslintignore
  - Copy [web-root]/.eslintrc.json from assets/scaffold/files/eslintrc.json
  - Copy [web-root]/.ht.router.php from assets/scaffold/files/ht.router.php
  - Copy [web-root]/.htaccess from assets/scaffold/files/htaccess
  - Copy [web-root]/example.gitignore from assets/scaffold/files/example.gitignore
  - Copy [web-root]/index.php from assets/scaffold/files/index.php
  - Copy [web-root]/INSTALL.txt from assets/scaffold/files/drupal.INSTALL.txt
  - Copy [web-root]/README.md from assets/scaffold/files/drupal.README.md
  - Copy [web-root]/robots.txt from assets/scaffold/files/robots.txt
  - Copy [web-root]/update.php from assets/scaffold/files/update.php
  - Copy [web-root]/web.config from assets/scaffold/files/web.config
  - Copy [web-root]/sites/README.txt from assets/scaffold/files/sites.README.txt
  - Copy [web-root]/sites/development.services.yml from assets/scaffold/files/development.services.yml
  - Copy [web-root]/sites/example.settings.local.php from assets/scaffold/files/example.settings.local.php
  - Copy [web-root]/sites/example.sites.php from assets/scaffold/files/example.sites.php
  - Copy [web-root]/sites/default/default.services.yml from assets/scaffold/files/default.services.yml
  - Copy [web-root]/sites/default/default.settings.php from assets/scaffold/files/default.settings.php
  - Copy [web-root]/modules/README.txt from assets/scaffold/files/modules.README.txt
  - Copy [web-root]/profiles/README.txt from assets/scaffold/files/profiles.README.txt
  - Copy [web-root]/themes/README.txt from assets/scaffold/files/themes.README.txt
  * Homepage: https://www.drupal.org/project/drupal
  * Support:
    * docs: https://www.drupal.org/docs/user_guide/en/index.html
    * chat: https://www.drupal.org/node/314178

  Congratulations, you’ve installed the Drupal codebase  
  from the drupal/recommended-project template!          

Next steps:
  * Install the site: https://www.drupal.org/docs/8/install
  * Read the user guide: https://www.drupal.org/docs/user_guide/en/index.html
  * Get support: https://www.drupal.org/support
  * Get involved with the Drupal community:
      https://www.drupal.org/getting-involved
  * Remove the plugin that prints this message:
      composer remove drupal/core-project-message
  * Homepage: https://www.drupal.org/project/drupal
  * Support:
    * docs: https://www.drupal.org/docs/user_guide/en/index.html
    * chat: https://www.drupal.org/node/314178

~/repos took 2s 
❯ cd drainpipe-test

~/repos/drainpipe-test is 📦 v1.0.0 via  v17.4.0 via 🐘 v7.4.3 
❯ composer config extra.drupal-scaffold.gitignore true
  composer config --json --merge extra.drupal-scaffold.allowed-packages '["lullabot/drainpipe-dev"]'

composer/package-versions-deprecated contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "composer/package-versions-deprecated" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y

~/repos/drainpipe-test is 📦 v1.0.0 via  v17.4.0 via 🐘 v7.4.3 took 2s 
❯ composer require lullabot/drainpipe-dev --dev
Using version ^2.1 for lullabot/drainpipe-dev
./composer.json has been updated
Running composer update lullabot/drainpipe-dev
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 1 update, 0 removals
  - Upgrading lullabot/drainpipe-dev (dev-justafish/use-composer-scaffold 48034a1 => v2.1.0)
  - Locking phpspec/prophecy-phpunit (v2.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 1 update, 0 removals
  - Downloading phpspec/prophecy-phpunit (v2.0.1)
  - Downloading lullabot/drainpipe-dev (v2.1.0)
 0/2 [>---------------------------]   0%
  - Installing phpspec/prophecy-phpunit (v2.0.1): Extracting archive
  - Upgrading lullabot/drainpipe-dev (dev-justafish/use-composer-scaffold 48034a1 => v2.1.0): Extracting archive
Package doctrine/reflection is abandoned, you should avoid using it. Use roave/better-reflection instead.
Package webmozart/path-util is abandoned, you should avoid using it. Use symfony/filesystem instead.
Generating autoload files
composer/package-versions-deprecated: Generating version class...
composer/package-versions-deprecated: ...done generating version class
78 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
.gitignore does not contain drainpipe ignores. Compare .gitignore in the root of your repository with /home/justafish/repos/drainpipe-test/vendor/lullabot/drainpipe/scaffold/gitignore and update as needed.
task v3.9.0 (cad72446d2b939ec611fea14c48f7ce28713c68cc902701fb4f1c2b12fe1fd1c) already exists in bin-dir, not overwriting.
Scaffolding files for lullabot/drainpipe-dev:
  - Copy [web-root]/sites/chrome/settings.php from scaffold/nightwatch/chrome.settings.php
  - Copy [web-root]/sites/firefox/settings.php from scaffold/nightwatch/firefox.settings.php
  - Copy [web-root]/sites/sites.php from scaffold/nightwatch/sites.php
  - Copy [project-root]/.ddev/docker-compose.selenium.yaml from scaffold/nightwatch/docker-compose.selenium.yaml
  - Copy [project-root]/phpcs.xml from scaffold/phpcs.xml
local-php-security-checker v1.0.0 (e5b12488ca78bc07c149e9352278bf10667b88a8461caac10154f9a6f5476369) already exists in bin-dir, not overwriting.

~/repos/drainpipe-test is 📦 v1.0.0 via  v17.4.0 via 🐘 v7.4.3 took 43s 
❯ ./vendor/bin/local-php-security-checker 
Symfony Security Check Report
=============================

4 packages have known vulnerabilities.

drupal/core (9.3.7)
-------------------

 * [CVE-2022-25275][]: Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
 * [CVE-2022-25277][]: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

guzzlehttp/guzzle (6.5.5)
-------------------------

 * [CVE-2022-29248][]: Cross-domain cookie leakage
 * [CVE-2022-31042][]: Failure to strip the Cookie header on change in host or HTTP downgrade
 * [CVE-2022-31043][]: Fix failure to strip Authorization header on HTTP downgrade
 * [CVE-2022-31090][]: CURLOPT_HTTPAUTH option not cleared on change of origin
 * [CVE-2022-31091][]: Change in port should be considered a change in origin

guzzlehttp/psr7 (1.8.3)
-----------------------

 * [CVE-2022-24775][]: Inproper parsing of HTTP headers

laminas/laminas-diactoros (2.8.0)
---------------------------------

 * [CVE-2022-31109][]: Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.

[CVE-2022-25275]: https://www.drupal.org/sa-core-2022-012
[CVE-2022-25277]: https://www.drupal.org/sa-core-2022-014
[CVE-2022-29248]: https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
[CVE-2022-31042]: https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
[CVE-2022-31043]: https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
[CVE-2022-31090]: https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
[CVE-2022-31091]: https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
[CVE-2022-24775]: https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
[CVE-2022-31109]: https://github.com/advisories/GHSA-8274-h5jp-97vr

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.