search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

readme: use --dev #41

Closed glensc closed 6 years ago

glensc commented 6 years ago

Quoting readme:

This package is therefore only suited for installation in the root of your deployable project.

therefore move the dependency to require-dev section.

malukenho commented 6 years ago

Thank you @glensc!

Ocramius commented 6 years ago

This is incorrect, as composer installation may run with --no-dev. Reverted in 382e703bda76c761d8f71b38e403a027eec9d5f0

glensc commented 6 years ago

care to explain what is incorrect? installation of this package directly or this package installed as dependency?

have you read this project readme? the security checks are performed only when resolving composer dependencies, so if you install via lock file it does not apply. also the dependencies for "require-dev" are still resolved regardless if the "dev" dependencies get installed. this is to ensure consistent .lock file, because lock file should work for both "dev" and "no-dev" installation.

ps: your commit link 382e703 to "revert" is incorrect.

Ocramius commented 6 years ago

@glensc dang, indeed, double-error:

  1. linked wrong discussion
  2. was assuming that composer install --no-dev would exclude require-dev during SAT process (when not having a composer.lock). Sorry, my mistake! Will re-revert :-)
Ocramius commented 6 years ago

Fixed in https://github.com/Roave/SecurityAdvisories/commit/3df94834c80037130b533703df4672785b6ea112

Sorry again for the hasty revert.

To verify that composer install SAT also works with require-dev also when --no-dev is provided as flag:

mkdir foo
cd foo
echo '{"require":{"zendframework/zendxml":"1.0.0"},"require-dev":{"roave/security-advisories":"dev-master"}}' > composer.json
composer install --no-dev -vvv # should exit with `1`
glensc commented 6 years ago

having second look, made followup: #43