Currently, the package:discover command auto-discovers all packages in the composer installed.json file, which means that even if the environment is set to production, the discover command would auto-load the service providers of the dev dependencies as well.
I think it may be useful to exclude require-dev dependencies if the config app.env is set to production. I know that the best practice would be to just run composer install --no-dev in production but I think it would be nice to provide an extra layer of checks. Dev packages such as ignition are known to have memory leaks (https://github.com/facade/ignition/issues/284) and if we take a safer approach, I think we can avoid these in production. Of course, if someone wants to include a specific dev dependency package in production, he/she could just pull it in app.php without having to auto-discover it.
Currently, the
package:discover
command auto-discovers all packages in the composerinstalled.json
file, which means that even if the environment is set to production, the discover command would auto-load the service providers of the dev dependencies as well.I think it may be useful to exclude
require-dev
dependencies if the configapp.env
is set to production. I know that the best practice would be to just runcomposer install --no-dev
in production but I think it would be nice to provide an extra layer of checks. Dev packages such as ignition are known to have memory leaks (https://github.com/facade/ignition/issues/284) and if we take a safer approach, I think we can avoid these in production. Of course, if someone wants to include a specific dev dependency package in production, he/she could just pull it inapp.php
without having to auto-discover it.