For developers intending to use this library, please note:
Moneris has not been responding to issues reported on Github.
There are many new and old open issues, without any acknowledgement that Moneris has even seen them.
It appears that Moneris uses GitHub as a place to host the library, without using any of the other features that the GitHub community would expect.
I have tried to give feedback to Moneris about this, through the various methods recommended on their main website and developer portal. They redirected me many times to various different email addresses and phone numbers, without reaching anyone appropriate after 7 weeks.
Moneris does not have a working process for reporting security issues.
As a result, I recommend that developers treat this library like they would an abandoned one. Yes I have used it successfully for many years, and yes the code does get some updates from Moneris. But if anything does not work, or an update breaks something, or a security issue is found, it is likely that we will need to fix it ourselves.
For example, on Feb 29, 2024, Moneris turned on debug mode, which could easily break things in production and leak your secret API keys by outputting API raw request data to the user. It was reported 2 weeks later by user @rayr007 , and in May by me, yet in over 3 months Moneris has not responded or fixed the problem.
It is worth noting that Moneris also has .NET and Java libraries on GitHub, and that they have published the compiled .dll and .jar for these, without the source code. At least with the PHP version we can review code changes and fix them in our own copies.
To Moneris:
If you do see this message, please comment on this and any open issues and pull requests.
For developers intending to use this library, please note:
As a result, I recommend that developers treat this library like they would an abandoned one. Yes I have used it successfully for many years, and yes the code does get some updates from Moneris. But if anything does not work, or an update breaks something, or a security issue is found, it is likely that we will need to fix it ourselves.
For example, on Feb 29, 2024, Moneris turned on debug mode, which could easily break things in production and leak your secret API keys by outputting API raw request data to the user. It was reported 2 weeks later by user @rayr007 , and in May by me, yet in over 3 months Moneris has not responded or fixed the problem.
It is worth noting that Moneris also has .NET and Java libraries on GitHub, and that they have published the compiled
.dlland.jarfor these, without the source code. At least with the PHP version we can review code changes and fix them in our own copies.To Moneris: If you do see this message, please comment on this and any open issues and pull requests.