lorisleiva
commented
5 years ago Hi there 👋
You're suggesting 2 changes:
- Removing the
COMPOSER_HOME /composeroption that explicitly defines the global folder composer will use to install itself. I'm not sure if that part was intentional but this does not represent a security issue and is used on the official composer Dockerfile. - Removing the
COMPOSER_ALLOW_SUPERUSER 1option which is recommended by the official composer documentation. However, this option is also used on the official composer Dockerfile and widely used by the Docker community when installing composer in a docker container. There should be a reason for that option to be true by default and I'm worried that turning it off will be a breaking change for the current users of Laravel Docker. If you can shine more light on the consequences of this change I might consider it.
Thanks for taking the time to create this issue.
I propose change composer install from root to normal user as recommended by official composer https://getcomposer.org/doc/faqs/how-to-install-untrusted-packages-safely.md
From:
# Install composer ENV COMPOSER_HOME /composer ENV PATH ./vendor/bin:/composer/vendor/bin:$PATH ENV COMPOSER_ALLOW_SUPERUSER 1 RUN curl -s https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin/ --filename=composerTo:
# Install PHP Composer RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composerThe only impact would be PHPCS which is optional and include be included into composer.json