Closed kertechs closed 2 years ago
oleksandr-mykhailenko
commented
2 years ago @kertechs Hello Thank you for this note. We will check it and in case, is it's really do not need to be in the required section, it can be moved. Agree with you, such package is not something required for 100% of time. We will make a review today or tomorrow
oleksandr-mykhailenko
commented
2 years ago @kertechs So I have a question. Why do you say that Mockery is on regular require section ?
Here is screenshot of current composer.json
And we already have mockery in the dev section.
I assume, probably during scanning somewhere you call a command composer install and in this way all dependencies will be installed. but if it's possible to change it you can use command composer install --no-dev and in this case dev packages will no be installed and your scanner will be happy.
kertechs
commented
2 years ago @oleksandr-mykhailenko I'm sorry. I should have double checked The """problem""" existed in the past as it is the case in our code base
I made à search on packagist and it was (is) still the case as you can see on the attached screenshot
I shouldnt have relied on this confirmation and should have double checked on the repo
Thank you again
kertechs
commented
2 years ago Hi @oleksandr-mykhailenko
Sorry to come back on this but i think i might have understood why we (and packagist) find mockery/mockery in our require section We are requiring "mailjet/mailjet-apiv3-php": "^1.3"
So what we get is you last 1.x published version; wich is 1.5.5 (and there is no further tagged version if i not mistaking) If you switch to this tag, you'll find that "mockery/mockery" is in the require section https://github.com/mailjet/mailjet-apiv3-php/blob/v1.5.5/composer.json
This package is switched into the "require-dev" section in the "dev-master" version
Any chance you could publish an 1.6 tag for example which would switch the section of composer.json requiring mockery/mockery ?
oleksandr-mykhailenko
commented
2 years ago @kertechs Hello, thanks for update I published new release here - https://github.com/mailjet/mailjet-apiv3-php/releases/tag/v1.5.6 So you can update your version
kertechs
commented
2 years ago Thank you very much for your help @oleksandr-mykhailenko !
Hi,
We are running automated scans (with owasp/dependency-checker) and the report flagged mailjet-api-v3-php because of its dependency to mockery/mockery https://ossindex.sonatype.org/component/pkg:composer/mockery/mockery
The purpose is not to discuss here whereas it's a positive flag or a false positive ...
Instead, i'd like to understand if the presence of this package in the require section of the composer.json is on purpose or if it could be moved to require-dev ? If i'm not mistaking, i didn't find any usage outside of the tests
Thank you in advance for your answer !