Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce an environment variable for setting abandoned package reporting mode in composer audit #11792

Closed
mxr576 opened this issue Jan 12, 2024 · 5 comments · Fixed by #11794
Closed

Introduce an environment variable for setting abandoned package reporting mode in composer audit #11792

mxr576 opened this issue Jan 12, 2024 · 5 comments · Fixed by #11794
Labels
Feature
Milestone
2.7

Comments

@mxr576
Copy link
Contributor

mxr576 commented Jan 12, 2024
edited

#11639 introduced an abandoned package reporting mode without providing an environment variable for customization. The default reporting mode is set to change to "fail" in 2.7.0. Rather than requiring code adjustments in every project to revert to the reporting mode via configuration change in composer.json, it would be favorable to allow configuration through an environment variable in CI environments.

Another use case for implementing this environment variable is the ability to dynamically switch between reporting modes for specific CI jobs as needed (like use fail on PR review and reporting on nightly scanners that measures collected technical debt).
This was referenced Jan 12, 2024
Closed
Merged
@mxr576
Copy link
Contributor Author

mxr576 commented Jan 12, 2024

#11643 is also related.

@mxr576 mxr576 mentioned this issue Jan 12, 2024
Open
1 task
@mxr576
Copy link
Contributor Author

mxr576 commented Jan 22, 2024
edited

In the past, Drupal core (9.x) had various abandoned package dependencies, a situation that was generally acceptable because Drupal core maintainers actively managed those dependencies. Presently, with Drupal 10.1.x, the good news is that it is free from abandoned package dependencies. However, anticipating the possibility of future dependencies on abandoned packages, having a suggested environment variable could prove valuable for suppressing warnings during deployments.

In the event that Drupal 10.1.x or subsequent versions reintroduce dependencies on abandoned packages, the proposed environment variable would offer a practical solution to mute warnings, facilitating smoother deployment processes.

Alternatively, considering the occasional necessity for such features in the face of real-world challenges, a feature allowing the selective ignoring of abandoned packages on a case-by-case basis might be a viable alternative. (From previous interaction you may know that I am not a big fan of this kind of features, but still, reality sometimes override expectations.)

$ composer show drupal/core --installed --no-ansi --no-interaction --format=json 2>/dev/null | jq -r .versions[0]
9.5.11

$ composer audit

Found 6 abandoned packages:
+--------------------------+----------------------------------------------------------------------------------+
| Abandoned Package        | Suggested Replacement                                                            |
+--------------------------+----------------------------------------------------------------------------------+
| behat/mink-goutte-driver | behat/mink-browserkit-driver                                                     |
| doctrine/reflection      | roave/better-reflection                                                          |
| fabpot/goutte            | symfony/browser-kit                                                              |
| symfony/debug            | symfony/error-handler                                                            |
| webmozart/path-util      | symfony/filesystem                                                               |
+--------------------------+----------------------------------------------------------------------------------+

@mxr576
Copy link
Contributor Author

mxr576 commented Feb 5, 2024

@Seldaek What do you think about this idea? Do you see a chance to have this supported before 2.7.0 is tagged?

@Seldaek Seldaek added this to the 2.7 milestone Feb 6, 2024
@Seldaek
Copy link
Member

Seldaek commented Feb 7, 2024

I don't really see the value in doing an additional 2.6 release which would come simultaneously to 2.7, it's just gonna waste my time as almost everyone upgrades to latest anyway..

And IMO this is fine done via composer config even in CI an extra step doing this instead of setting the env isn't a huge deal, but I see the env is a bit more convenient.

And FWIW, I would say blocking deploy based on the audit command is a bad practice. I would absolutely alert/soft-fail on failed audit, but you shouldn't block deploys for some new advisory that may or may not be relevant to your project.

@Seldaek Seldaek added the Feature label Feb 7, 2024
@mxr576
Copy link
Contributor Author

mxr576 commented Feb 7, 2024

The goal is actually soft failing, capturing composer audit-s non-zero exit code on demand and streamlining the output of the command to different places.
In some cases we care about abandoned dependencies and sometimes not, then they should not influence the exit code.

This env var will help with that, thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
2.7
Development

Successfully merging a pull request may close this issue.

Introduce COMPOSER_AUDIT_ABANDONED env var mxr576/composer
2 participants
@Seldaek @mxr576