New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to composer.json to remove files on production #5367
Comments
First of all, composer should not be run on production (note, should not, not cannot). Second, there have been many requests for options similar to .gitattributes export-ignore, etc. Composer is not going to provide this. This should be a part of your packaging process/job. |
@alcohol @kamilsk I think you misunderstood what I mean. Let me explain the origin of this issue. concrete5 uses a lot of composer packages. When building a new release archive to be downloaded by end-users, we run a Doing so, we have a lot of unnecessary files (tests, docs, examples, ...) that increase the size of the archive, and it may results in some problems (security issues, version disclosures, ...). Ideally, package maintainers could add So, at the moment there's basically no way to tell which are the production-only files. What I'm suggesting here is a solution of this problem. Do you see any alternative? |
@mlocati, you can create plugin and use |
It's only an issue to people making an issue out of it :-) |
...as everything 😉 |
One |
I don't think so. After that we have two options to resolve similar problem: .gitattributes and composer.json:devFiles. But first like "pre-hook" (remove before archiving), and second like "post-hook" (remove after delivering). Do you know that the symfony maintainers ready to support this? |
I don't know... Let's see what @fabpot @webmozart @nicolas-grekas @Tobion think about this |
PS: composer itself too has the need to strip out development stuff (see here)... In the case of composer it's easy to keep the list of production-useless stuff up to date. |
@mlocati but that is part of our packaging process/job (or "compile" step, if you prefer). It is maintained by us. This is not a Composer feature :-) |
@alcohol That's the problem that my proposal tries to fix! You (composer) have to keep the list of stuff to be excluded from .phar, I have to keep the list of stuff to be removed from our distribution .zip archive, ... It's a problem that every project has (or should have) when generating the final distribution files. Imagine if you simply use something like |
@mlocati what problem? I don't see a problem. Composer has nothing to do with our compile/build step. |
As I described above, the problem is to strip out files that are not needed for the production. When building composer, it's an easy step (keep only .php files, remove test dirs). For big projects it's a problem: we need to parse every package and determine the list of production-useless stuff.
In your compile step you have to keep the list of stuff to be excluded from .phar. |
I think you misunderstood. I don't consider it a problem, period. Also, implementing your proposal in Composer would not change our compile/build process at all since we do not use composer for this. I can understand that your use-case is more complicated. But I simply do not agree that this is actually an issue that warrants attention/time. Storage space is negligible in this day and age. The cost (time, resources) it would require to implement your suggestion (and get everyone onboard to use it) would far exceed any gains it might provide. Anyway, unsubscribing from this topic as I (personally) have zero further interest in discussing this. |
You do: https://github.com/composer/composer/blob/1.1.1/bin/compile#L14 |
@mlocati IMO if someone builds a plugin that works well it could well become a community standard that most packages accept and just add their data in the extra key.. We can't solve everything in composer itself, because not everybody agrees how things should be done, and because our time to maintain things is finite. |
Potential syntax looks like this https://github.com/kamilsk/Common/blob/3.x/composer.yml#L75-L78 @mlocati, any suggestions? |
@Seldaek Thanks for your clean and wise answer @kamilsk Great! {
"devFiles": {
"docs": ["/CHANGELOG.md"],
"tests": ["/Tests", "/phpunit.xml.dist"],
"bin": ["/bin"],
"others": ".git*"
}
} That way, people that may want to keep the "bin" could delete all the files except the "bin" ones. |
@mlocati, I think you can close this issue, I open related here octolab/cleaner#1 and try to complete all works on MVP until 31 May https://github.com/octolab/Cleaner/milestones |
yep, my mistake |
@mlocati I simply do not agree it is an issue. Please do not speak on my behalf. :-) |
Maybe we have some language barrier here (obviously on my side): for me a GitHub "issue" is not the same as "bug", it's also something that's worth discussing about.
Sorry if I somehow offended you. The problem is that seeing an issue closed before a deeper discussion (like we've had after you closed this issue) is somehow hurting. It's like if you told me "shut out, don't say stupid things". GitHub is a collaborative place, where we all (love to) speak about software and the ways to improve it, isn't it? |
@mlocati I am simply saying that I do not agree that there is a "problem" to solve here. Composer is a dependency manager. Not a packaging tool. |
@alcohol could you please clarify (provide a link or keyword), how exactly it is possible as a part of integration pipeline? |
Pretty sure you can run a simple set of |
What should we use for |
@alcohol Yes it could work, but only if i know |
Le sigh. I'm unsubscribing from this thread. |
+1 for this feature. |
@dan-da, you can contribute to octolab/cleaner instead of continuing this thread. The composer is flexible and can be extended by plugins - thanks to the authors. |
I can see @alcohol stated numerously that he didn't consider this issue a real issue, without 0 explaination to why he thinks so :/ The only real argument I found was:
Yes, I agree. So why can't dependencies' authors decide what's part of a "dependecy", and what parts are unrelated noice that's required inside VCS for other reasons? |
Because it's just that, noise. If your OCD can't handle that, then deal with it in your packaging process. But there is no reason for the Composer team to waste time on building nor maintaining a feature that provides zero actual gain. |
@alcohol Ok, perhaps a map of excluded files is indeed hard to implement, test and maintain, I can agree on that. But how about, instead of specifying a map of excluded files, let's specify a |
How do you download only a subfolder ? If you use source install, you cannot do it (well, with SVN you can do it, but most of the packages are using Git today, not SVN, and Git cannot do it). And for dist install, we can only download what the dist archive contains. We cannot magically download a trimmed-down archive (and most open-source packages rely on downloads endpoints of Github and Gitlab for instance, which don't have such sub-folder download endpoints) |
@stof There is For dist install, we can handle it with |
@danon and supporting gitattributes or no is not something done by composer at all, but by the packaging tool (github respects it for instance when building the download archive, and many packages already uses it) |
It all comes down to value in the end. There is no value here. This discussion itself has already cost more than you would ever gain from it. |
@stof So why can't we have |
@danon what's wrong with https://github.com/octolab/cleaner? Looks exactly what we are looking for. |
@ivastly I don't care about my local or hosted environment, i could delete noise files on my computer with ease 🗡 I care about users of my dependencies. I have I don't want to tell users to use octolab/cleaner or to add
True, it wouldn't, but at least it would work for some projects (ones that have a single directory). PS: I'm sure you could use |
Packagist does not store any of your files, only metadata. You could remove these "noise" files from your repository in your tags. That way, no matter if the user downloads dist or source, they will not get these "noise" files. |
But seriously, as I said before, there is absolutely no value here to be gained. The amount of time spend discussing this has cost more in terms of $$ than you could ever gain back from removing these files. |
Or you can add those files in your |
That requires users to use |
@danon using dists is the default behavior of composer for releases (only dev branches are installed from source by default). |
Oh. Nice! What does |
@mlocati okay, |
@ivastly Someone may need all the files in the git repository without using |
Exists several plugins to remove unwanted files, but none works very universally. That's why I started to develop new plugin https://github.com/liborm85/composer-vendor-cleaner , that cleans files and directories in vendor directory by glob pattern syntax. |
Archives automatically generated by GIT (eg https://github.com/symfony/symfony/archive/v3.0.6.zip ) contain a copy of the repository.
These archives may contain tests/examples/docs that are not necessary on production machines (and could potentially lead to security issues).
Developers may tell git to exclude files/folders via an
export-ignore
option in the.gitattributes
file.BTW, someone may still want docs/tests included in packages during the development phase (that's for instance the main reason why big projects like Symfony are keeping tests/docs in packages).
What about improving Composer to handle this problem?
I mean, what I'm thinking about is to add something like this to to
composer.json
:We could then add to composer a new option (eg
--no-dev-files
): if this option is specified, Composer should delete the files/directories that satisfy the rules specified in thedevFiles
section ofcomposer.json
.This approach would make everyone happy...
The text was updated successfully, but these errors were encountered: