Open TravisCarden opened 1 year ago
Hey @TravisCarden, can you reproduce the issue on https://psalm.dev ?
Dev dependencies are not transitive, and composer-stager
has Psalm as dev dependency only. So if Drupal depends on composer-stager
it does not make it depend on Psalm. You can validate this by adding composer-stager
dependency to Drupal locally and running composer update
. Regardless of whether you specify --no-dev
or not, there will be no vendor/vimeo/psalm
folder (or wherever Drupal puts it).
Thanks, @weirdan. You are, of course, correct. For that reason this is kind of a formality, to be honest. And while some kind of vulnerability that takes advantage of a local development machine is theoretically possible, I acknowledge the possibility seems extremely remote. A SECURITY.md
needn't be anything fancy, but in your case I would understand if you didn't care to create one. Like I said: it's kind of a formality that I ask. 🙂
We will probably do that (don't take this as a promise, it's just my personal opinion), even if only to tick that checkbox on Github's Security page. This will take some time to discuss between maintainers, though.
Drupal, on the other hand, may want to clarify what they consider dependencies. Perhaps you can raise a doc issue with them in the meantime.
Hi! I'm currently using Psalm on a library created specifically for inclusion in Drupal core (https://github.com/php-tuf/composer-stager), where we have a policy of evaluating the security policies of packages before adding them as dependencies. I don't see any such policy here (e.g., at https://github.com/vimeo/psalm/security). Do you have one? If so, would you be kind enough to publish it? If not, would you consider creating one? Thank you!