psalm-github-bot[bot]
commented
1 year ago Hey @TravisCarden, can you reproduce the issue on https://psalm.dev ?
Open TravisCarden opened 1 year ago
psalm-github-bot[bot]
commented
1 year ago Hey @TravisCarden, can you reproduce the issue on https://psalm.dev ?
weirdan
commented
1 year ago Dev dependencies are not transitive, and composer-stager has Psalm as dev dependency only. So if Drupal depends on composer-stager it does not make it depend on Psalm. You can validate this by adding composer-stager dependency to Drupal locally and running composer update. Regardless of whether you specify --no-dev or not, there will be no vendor/vimeo/psalm folder (or wherever Drupal puts it).
TravisCarden
commented
1 year ago Thanks, @weirdan. You are, of course, correct. For that reason this is kind of a formality, to be honest. And while some kind of vulnerability that takes advantage of a local development machine is theoretically possible, I acknowledge the possibility seems extremely remote. A SECURITY.md needn't be anything fancy, but in your case I would understand if you didn't care to create one. Like I said: it's kind of a formality that I ask. 🙂
weirdan
commented
1 year ago We will probably do that (don't take this as a promise, it's just my personal opinion), even if only to tick that checkbox on Github's Security page. This will take some time to discuss between maintainers, though.
Drupal, on the other hand, may want to clarify what they consider dependencies. Perhaps you can raise a doc issue with them in the meantime.
Hi! I'm currently using Psalm on a library created specifically for inclusion in Drupal core (https://github.com/php-tuf/composer-stager), where we have a policy of evaluating the security policies of packages before adding them as dependencies. I don't see any such policy here (e.g., at https://github.com/vimeo/psalm/security). Do you have one? If so, would you be kind enough to publish it? If not, would you consider creating one? Thank you!