Move "yiisoft/yii2-debug" to developments dependencies

hiqdev / asset-packagist

Asset Packagist

https://asset-packagist.org

BSD 3-Clause "New" or "Revised" License

247 stars 25 forks source link

Move "yiisoft/yii2-debug" to developments dependencies #46

Closed edgardmessias closed 7 years ago

edgardmessias commented 7 years ago

Move "yiisoft/yii2-debug" to developments dependencies

From:

    "require": {
        ...
        "yiisoft/yii2-debug": "^2.0",
        ...
    },
    "require-dev": {
        "hiqdev/hidev-php": "<2.0",
        "hiqdev/hidev-hiqdev": "<2.0"
    },

To:

    "require": {
        ...
    },
    "require-dev": {
        "hiqdev/hidev-php": "<2.0",
        "hiqdev/hidev-hiqdev": "<2.0",
        "yiisoft/yii2-debug": "^2.0"
    },

hiqsol commented 7 years ago

Actually this is on purpose. But I'll think about it.

edgardmessias commented 7 years ago

This in production is not necessary

hiqsol commented 7 years ago

require-dev is not about dev environment.

And actually I prefer to have yii2-debug in production.

alexantr commented 7 years ago

yii2-debug not for production. And official Yii project templates use this extension in require-dev section.

cebe commented 7 years ago

And actually I prefer to have yii2-debug in production.

yii2-debug is not made for use in production and may introduce security issues if enabled.

hiqsol commented 7 years ago

Is properly set allowedIps enough to be safe? If it is not could you please provide more info?

samdark commented 7 years ago

Yes. Setting up allowed IPs should be secure enough. It is require-dev section for two reasons:

Performance. When debug is enabled, info is collected and it takes extra time to do it.
Security. If misconfigured, presence of debug panel exposes everything. You can check google to see how many projects in production are, in fact, misconfigured.