Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure composer dist archive contains only usefull files #101

Merged
merged 1 commit into from
Feb 25, 2023
Merged

Ensure composer dist archive contains only usefull files #101

merged 1 commit into from
Feb 25, 2023

Conversation

cedric-anne
Copy link
Contributor

With proposed changes, Github configuration, demo, documentation and test files will no more be included in composer dist archives.

Package weight will decrease from 175kB to 62kB. This is not a big change, but your package is downloaded almost 4k per day, so on the long term, it can save lots of bandwidth.

Anyway, problem is not only related to bandwidth and disk usage. On a project I work on, we had in the past a severe security flaw (unauthenticated RCE) that was located in a demo file of a library we used. I do not think there is such a flaw in your demo/test files (I did not tried to find one), but now you know why I propose such a PR.

@NicolasCARPi
Copy link
Sponsor Collaborator

Example of such issues in the past: https://nvd.nist.gov/vuln/detail/CVE-2017-9841

It's wrong to expose your vendor dir anyway, but it doesn't hurt to distribute only the necessary files!

@cedric-anne
Copy link
Contributor Author

It's wrong to expose your vendor dir anyway

I agree, but I am working on an opensource application that, sometimes, people are putting on unprotected webserver. We do our best to prevent this, but we cannot control how webserver is configured, and I guess people may use such unsecure configurations for every application they use.

willpower232
willpower232 approved these changes Feb 24, 2023
View reviewed changes
Copy link
Collaborator

@willpower232 willpower232 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great idea, I didn't know this was a thing

@willpower232 willpower232 mentioned this pull request Feb 24, 2023
Merged
@willpower232 willpower232 merged commit 0159e77 into RobThree:master Feb 25, 2023
@willpower232
Copy link
Collaborator

@cedric-anne just so you know, this didn't seem to change the files that ended up in my vendor folder, if you'd like to take another look at your discretion, I'd be happy to resolve this.

@NicolasCARPi
Copy link
Sponsor Collaborator

I believe the issue is the missing .gitattributes file. See: https://gitlab.com/gitlab-org/gitlab/-/issues/352063#note_944741629

@cedric-anne cedric-anne deleted the composer-archive branch February 26, 2023 09:59
@cedric-anne
Copy link
Contributor Author

We could indeed list ignored files in .gitattributes instead of in composer.json:archive.exclude, but what I proposed should work.
If you run composer archive command, you will see that files are correctly excluded.

I open an issue on composer/packagist repository, to try to know if something should be changed here: composer/packagist#1364

@cedric-anne
Copy link
Contributor Author

My bad, see #103.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willpower232 willpower232 willpower232 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cedric-anne @NicolasCARPi @willpower232