As of Composer 2.2.0, there is a new configuration property to whitelist plugins which are allowed to run. According to https://getcomposer.org/doc/06-config.md#allow-plugins this will default to disallow all plugins from July 2022.
This conflicts with an earlier commit (cfba4cb), but after talking to Robbie this new commit is consistent with how we handle other recipes (CWP and core). Both ways are viable, but we've implicitly standardised on this way (set minor release constraints in the main release branch, e.g. constraint to recipe:4.5.x-dev on installer:4.x-dev)
Likely caused by repeated unreviewed merges from 4.4 (and 4.3) onto the 4 branch here (e.g. through fa67bc614b).
Note this isn't changing the branch alias, which should still point to 4.5.x-dev here.
Add Security Advisories as dev requirement to
- Prevent installation of known breached libraries
- Give devs the option to remove it if they might want to
This is required here in order for the "cow" release tool
to include the module in tagging releases.
At the moment, it's only an indirect asset-admin dependency,
but will become a framework dependency once we switch
CampaignAdmin to use GraphQL as well.
Although the original ticket recommended increasing our
minimum-stability, this change gives us the best of both worlds.
- Where stable packages are available and meet the requirements, they
will be used.
- Where stable packages aren’t available or they don’t meet the
dependency requirements, non-stable packages are still allowed.
As part of this I have also tightened up the silverstripe-themes req
version, as “*” is an anti-pattern. The versioning of the theme has
rightly split off from the versioning of the framework; it looks like
3.1.* is what we should expect.
Arguably, we could set the dependency to ~3.1, but in this case I think
it’s fine to be conservative.
With this change, composer will automatically call dev/build after an update or install
command. The main reason that this is 3.1-only is that previous releases would have
necessitated the use of 'sudo -u www-data', which is too environment-specific.
One thing that this may cause problems with is 'composer create-project' in an environment
without a _ss_environment file. It will call dev/build, and dev/build will throw an
error. That should be fixed in a subsequent commit.
Now that https://github.com/composer/composer/pull/1883 is in Composer, self.version
will work as a requirement for framework & cms. This will simplify the release
process a great deal.
Ultimately, the release of rc1 will be the place to test that, but it seems appropriate
to get this in there for that.
If it succeeds with 3.1-rc1, I'd suggest we backport to 3.0 and 2.4.
Any "composer require <module>" call will first call
a "composer update". This *automatically* includes dev requirements,
without providing a way to turn off this behaviour.
A workaround would be "composer require --no-update <module> && composer update --no-dev <module>",
but that drastically reduces the usefulness of the command
for our target audience (moderately technical devs).
In the end, the small faction of devs needing the dev dependencies
also know how to install them on their own. And having a local phpunit
build actually gets in the way more than it helps in case you have
it installed through PEAR already (can get really weird when using the
PEAR provided "phpunit" binary, but the autoloader finds the composer managed classes).
They used to require manual editing of the composer.json
file in order to do a proper dev checkout. In the end,
the choice between release tag and dev branch should
be handled by composer already via the --stability flag.
