julienbourdeau
commented
3 years ago ~For production, I think the composer dev deps shouldn't be installed at all. You can use the --no-dev flag.~ Sorry, just read your PR descriptions.
Closed paras-malhotra closed 3 years ago
julienbourdeau
commented
3 years ago ~For production, I think the composer dev deps shouldn't be installed at all. You can use the --no-dev flag.~ Sorry, just read your PR descriptions.
paras-malhotra
commented
3 years ago Closing this as the PR was not accepted.
Currently, the
package:discovercommand auto-discovers all packages in the composerinstalled.jsonfile, which means that even if the environment is set to production, the discover command would auto-load the service providers of the dev dependencies as well.I think it may be useful to exclude
require-devdependencies if the configapp.envis set to production. I know that the best practice would be to just runcomposer install --no-devin production but I think it would be nice to provide an extra layer of checks. Dev packages such as ignition are known to have memory leaks (https://github.com/facade/ignition/issues/284) and if we take a safer approach, I think we can avoid these in production. Of course, if someone wants to include a specific dev dependency package in production, he/she could just pull it inapp.phpwithout having to auto-discover it.