search

wikimedia / composer-merge-plugin

Merge one or more additional composer.json files at Composer runtime
MIT License
923 stars 160 forks source link

Merge in `config` / `allow-plugins` #229

Open FlorianSW opened 2 years ago

FlorianSW commented 2 years ago

Right now, suppose there is a root composer.json with the following peroperties set:

{
  "config": {
    "allow-plugins": {
      "some-plugin": true
    }
  },
  "extra": {
      "merge-plugin": {
          "include": [
              "composer.local.json"
          ],
          "recurse": true,
          "replace": false,
          "ignore-duplicates": false,
          "merge-dev": true,
          "merge-extra": false,
          "merge-extra-deep": false,
          "merge-scripts": false
      }
  }
}

(simplified)

and the following composer.local.json:

{
  "require": {
    "composer/installers": ">=1.0.1"
  },
  "config": {
    "allow-plugins": {
      "some-plugin": true
    }
  }
}

Running composer update with this setup will try to install the composer/installers plugin. However, as it is not mentioned in the main allow-plugins section, the user will be prompted to decide if this plugin is allowed to be installed or not.

The composer-merge plugin should merge in the allow-plugins config from included into the main one. However, I'm not quite sure on what level: Should it be only the allow-plugins property, which probably would be fine to do unconditionally. If it would make sense to consider the whole config property, it would most likely make sense to have a merge-config (or alike) config for the merge-plugin, like it is already present for the extra and scripts properties.

reedy commented 2 years ago

For reference, allow-plugins is new in composer 2.2 - https://getcomposer.org/doc/06-config.md#allow-plugins

https://blog.packagist.com/composer-2-2/

Querela commented 2 years ago

I also just now found this issue. Docker mediawiki version mediawiki:1.37.2 adds support for composer 2.2+ according to release notes (before only composer 2.1.14 worked with MW 1.37.1). But the new security setting blocks installation for e.g. SemanticMediaWiki which currently can only be installed with composer when I try to use a composer.local.json file. And as docker images run non-interactively, I can't agree to add the composer/installers into the allow-plugins section. Without manually agreeing, the folder SemanticMediaWiki can't be placed into extensions/. And hacking the original composer.json file seems not stable over different releases as a third-party.

codebymikey commented 2 years ago

However, I'm not quite sure on what level: Should it be only the allow-plugins property, which probably would be fine to do unconditionally.

I think it makes sense to merge the whole config, just so additional options like sort-packages, preferred-install etc. can be properly merged in as needed.