Since it's almost christmas, it's also time to release a new project!
Before telling you more, go grab it:
mkdir roave-security-advisories-test cd roave-security-advisories-test curl -sS https://getcomposer.org/installer | php -- ./composer.phar require roave/security-advisories:dev-master
Hold on: I will tell you what to do with it in a few.
What is it?
roave/security-advisories is a composer package that prevents installation of packages with known security issues.
Yet another one?
While I like the idea of integrating security checks with my
CI, I don't like the fact that it is possible to install
and run harmful software before those checks.
I also don't want to install and run an additional CLI tool for something that composer can provide directly.
That's why I had the idea of just compiling a list of
conflict versions from
into a composer
This has various advantages:
- No files or actual dependencies are added to the project, since a "metapackage" does not provide a vendor directory by itself
- Packages with security issues are filtered out during dependency resolution: they will not even be downloaded
- No more CLI tool to run separately, no more CI setup steps
- No need to upgrade the tool separately
- No coupling or version constraints with any dependencies used by similar CLI-based alternatives
Try it out!
Now that you installed
roave/security-advisories, you can try out how it works:
cd roave-security-advisories-test ./composer.phar require symfony/symfony:2.5.2 # this will fail ./composer.phar require zendframework/zendframework:2.3.1 # this will fail ./composer.phar require symfony/symfony:~2.6 # works! ./composer.phar require zendframework/zendframework:~2.3 # works!
Please just note that this only works when adding new dependencies or when running
security issues in your
composer.lock cannot be checked with this technique.
Why is there no tagged version?
Because of how composer dependency resolution works, it is not possible to have more than one version of
roave/security-advisories other than
dev-master. More about this is on the