Indicates that sodium extension is provided

[cedric-anne]

Hi,

Adding the "provide": {"ext-sodium": "*"} will permit to install a dependency that requires this extension without actually having it installed.

This is working since version 2 of composer.

Here is an exemple of requirements checks result. I truncated it to keep only usefull information

$ composer check-platform-reqs            
ext-ctype            *        success provided by symfony/polyfill-ctype    
ext-curl             8.1      success
ext-mbstring         *        success provided by symfony/polyfill-mbstring 
ext-mysqli           8.1.16   success                                       
ext-sodium           n/a      lcobucci/jwt requires ext-sodium (*)      missing                                       

ext-ctype and ext-mbstring are not installed on the machine but checks are passing due to provide instructions added in symfony/polyfill#374

[paragonie-security]

This change might be problematic.

Some software specifies ext-sodium specifically because sodium_compat doesn't provide an Argon2 polyfill. (Nor can it.)

If you want to work around this, a separate Composer package that simply requires sodium-compat and specifies the provides flag would hack around this for projects that desire this, without upsetting the expectations of downstream libraries.

[paragonie-security]

https://github.com/paragonie/sodium_compat_ext_sodium - We created a meta-package for this here.

[cedric-anne]

Some software specifies ext-sodium specifically because sodium_compat doesn't provide an Argon2 polyfill. (Nor can it.)

Indeed, it may be a problem when paragonie/sodium_compat is indirectly added to dependencies.