Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.73k stars 106 forks source link

Use branch-alias to allow versions and maintain stability #62

Closed d42ohpaz closed 4 years ago

d42ohpaz commented 4 years ago

In response to #55, I wanted to discuss the possibility of using aliases for dev-master to point to a 1.0.0 branch. The benefit of using a version is that users do not have to lower their minimum stability - which is typically a global setting - while allowing them to receive the most recent commits as if they were using the unbound dev-master version constraint.

It would look something like this:

{
    ...
    "branch-alias": {
        "dev-master": "1.x-dev"
    }
}

Then you simply tag master as v1.0.0 (down at the root of commits). Done. Users would then update the version constraint to use ^1.0 or ~1.0 and run composer update --lock.

Additionally, and this would be good to document in the instructions, is that you can inline the alias, such as "roave/security-advisories": "dev-master as v1.0.x-dev". Though this will generate an IDE warning for users of IntelliJ editors that use the EA Inspections plugin (i.e., possibly an edge case).

I'd be happy to submit a PR for it later this evening (it's 3pm -0400 for me right now).

d42ohpaz commented 4 years ago

Pinging @jdreesen to bring him into the conversation, as well as @Ocramius.

Ocramius commented 4 years ago

Users don't need to touch their minimum stability? (Already the case)

d42ohpaz commented 4 years ago

Ok, so at the root level of the dependency chain, you're right; you don't need to touch minimum-stability. However, as is my use case, when you have dependencies that rely on dev-master that's when things change. But, because this package is meant to be a dev requirement, then it shouldn't matter. Ok, that makes sense and thank you for the clarification. :)