search

kalessil / production-dependencies-guard

MIT License
87 stars 3 forks source link

Whitelist ability to specify specific guards #17

Open SunMar opened 3 years ago

SunMar commented 3 years ago

Hi,

First I want to say that I love this composer plugin. It really helps keeping track of not accidentally installing a bad license or an abandoned package. The check-description guard is something I like too, but is something that feels a bit conflicting with the whitelist. There are some packages that I'd like to whitelist (for example symfony/error-handler because it's included as a non-dev requirement by Laravel but the guard blocks it as it thinks it's a debug only package). However I'd only like to whitelist that package for the check-description guard, not for the check-abandoned or the check-license guards. If for some reason the package becomes abandoned, or they change the license, installation should be blocked.

So maybe the white-list options can be expanded for example like so:

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",

            "white-list:vendor/package-one:license,abandoned",
            "white-list:vendor/package-two",

            "accept-license:MIT"
        ]
    }
}

A change like this could be backwards compatible, where vendor/package-two still uses all guards, but vendor/package-one will only trigger when checking the license or when it's abandoned.

kalessil commented 3 years ago

If I understand correctly, you are trying to configure guards for some packages individually.

The idea looks good to me, but I'm not sure about the configuration format. What do you think about this approach?

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",

            "white-list:vendor/package-one",
            "white-list:vendor/package-two",

           "package-guards:vendor/package-one=license,abandoned",

            "accept-license:MIT"
        ]
    }
}

here "package-guards:vendor/package-one=license,abandoned", would allow to set guards (from the active guards) individually for each package.

SunMar commented 3 years ago

That would be perfect! 😃 I have no preference in if it's part of an existing directive or a new one.

Thinking about it now, maybe an interesting question is whether someone would prefer to specify the guards they do want or specify the guards you don't want. In my use case the most common pattern would be to want to exclude check-description, but either way is perfectly fine.