nette/php-generator should be in require-dev

[randomsymbols]

Generating PHP code should not be used in prod, only in dev. The same is for symfony/console. Maybe other libs that are in required are used for code gen only, they need to go to dev too.

[spawnia]

Any dependency we put in require-dev would not be installed as subdependencies when installing this package. We would have to suggest installing them separately, for example in the docs about installing this package:

composer require spawnia/sailor
composer require --dev symfony/console nette/php-generator

I am not sure if the advantage gained by not installing the deps in prod is worth the extra hassle and source of frustration. Can you provide an objective measurement of the cost of installing those extranuous dependencies (disk usage?)?

[morloderex]

@spawnia Coming back to this would it make sense to add the code generation stuff to suggests? And then add it to our require-dev blocks.

So that we make it a peer dependency instead sense it get the point that when using this package in production you should already have done the code generation.

[spawnia]

@morloderex You just reiterated what I already said. Again, in order to judge if making this change is worth it I need more information.

I am not sure if the advantage gained by not installing the deps in prod is worth the extra hassle and source of frustration. Can you provide an objective measurement of the cost of installing those extranuous dependencies (disk usage?)?

[morloderex]

@spawnia well personally sense I am using laravel in my projects i would already have symfony/console installed.

I do however believe it's not a question of disk usage but more preferable to not include it in production as code is never generated on the fly in this situation

[spawnia]

As I have already said and repeated twice now:

I am not sure if the advantage gained by not installing the deps in prod is worth the extra hassle and source of frustration.

Simplicity of installation has value. There is a tradeoff involved here. I can judge the disadvantage of having extra installation steps, but can not judge the disadvantage of having unnecessary dependencies in production - that is why I need more information to make a decision.

more preferable to not include it in production

Why?

[randomsymbols]

@spawnia any extra package is adding security risk: the more code, the more probability of security vulnerabilities originating from the package. Compromising prod security is definetelly not worth saving an extra step when installing.