search

mediact / dependency-guard

Static production dependency analysis.
MIT License
83 stars 5 forks source link

Apparent false alarm in Bolt project #19

Closed doenietzomoeilijk closed 6 years ago

doenietzomoeilijk commented 6 years ago

I have a Bolt-based project, installed through their composer-install method. Running dependency-guard on it gives me one violation:

[ERROR] Package "passwordlib/passwordlib" is installed, but never used.

However, that lib is actually used in Bolt, in Bolt\AccessControl\Login for example.

How to reproduce:

# create-project bolt/composer-install:^3.5 bolt-dependency-test --prefer-dist
Installing bolt/composer-install (3.5.0)
<snip - installation of Bolt>

# cd bolt-dependency-test
# composer require --dev mediact/dependency-guard
<snip - installation of Dependency Guard>

# composer dependency-guard
 [ERROR] Package "passwordlib/passwordlib" is installed, but never used.
 [ERROR] Number of dependency violations: 1

# composer why passwordlib/passwordlib
bolt/bolt              v3.5.5  requires  passwordlib/passwordlib (^1.0@beta)
bolt/composer-install  -       requires  passwordlib/passwordlib (^1.0@beta)

Not sure if this is an issue with Bolt or with Dependency Guard, but I thought I'd bring it up.

janmartenjongerius commented 6 years ago

Hello @doenietzomoeilijk,

First of all, thanks for reporting this issue. We are appreciative of any issues you find in DependencyGuard or help solving problems you might unravel because of using it.

I've had a look at the code inside the package bolt/composer-install and found that their autoloader is set to load in the src/ folder. Inside that folder is the single file CustomisationExtension.php. If we open up that file, it is clear it uses no code being installed because of passwordlib/passwordlib. I've looked deeper and went inside the source of the passwordlib/passwordlib package and found it is not exposing an application through the bin configuration option. This means you can safely remove passwordlib/passwordlib as dependency from your project.

You mention it is being used within Bolt itself. However, Bolt also has an explicit dependency on that package, so it will still install the package, even if you remove the requirement in your project. In this instance, you have used Dependency Guard to successfully spot a piece of wrong configuration inside the package bolt/composer-install. I suggest you open an issue for bolt/composer-install and refer to the current issue so they may have some context for the problem at hand.

If you could verify this satisfies your issue, I will follow up by closing it.

Cheers for bringing this up :]

doenietzomoeilijk commented 6 years ago

Yep, that about clears it up, I'll take it up with the Bolt team. Thanks! :)