Add allow-plugins config value #10314
Conversation
Seldaek
force-pushed
the
disable_plugins
branch
from
1163b40 to
fac5333
Compare
Seldaek
force-pushed
the
disable_plugins
branch
2 times, most recently
from
81507db to
6b97c95
Compare
|
Latest version of the PR does prompt the user whether new unknown plugins should be enabled if interactive. When non-interactive and allow-plugins is not set at all, it allows all plugins for BC. When non-interactive and allow-plugins is set but does not include a given package, that package is not allowed. Now I do wonder if we shouldn't build in some time-based feature switch in there that makes it forbid all plugins if Any thoughts on this last point? |
|
I agree with adding a mechanism to get people to start adding the setting in due time. |
| @@ -69,6 +80,9 @@ public function __construct(IOInterface $io, Composer $composer, Composer $globa | |||
| $this->globalComposer = $globalComposer; | |||
| $this->versionParser = new VersionParser(); | |||
| $this->disablePlugins = $disablePlugins; | |||
|
|
|||
| $this->allowPluginRules = $this->parseAllowedPlugins($composer->getConfig()->get('allow-plugins')); | |||
| $this->allowGlobalPluginRules = $this->parseAllowedPlugins($globalComposer ? $globalComposer->getConfig()->get('allow-plugins') : false); | |||
There was a problem hiding this comment.
I wonder how global plugin allow should even work? Merging the setting with local and applying to all plugins executed in this process or should the global setting apply to global plugins and local setting to local plugins?
There was a problem hiding this comment.
Right now it does apply global setting to global plugins and local to local plugins. Note that this refers to the composer global installed plugins. The global config.json would just be merged in both local and global composer configs.
I think it's fine as is. If you add a plugin via composer global require ... it will prompt you and add it in that composer.json and it works.
There was a problem hiding this comment.
I agree that's fine but this may require a bit more documentation? Can also add that when the first confused person shows up ;-)
…sting plugins impossible
…o enable/disable some packages, so we can suppress warnings for things we never want enabled, and add a way to update the config for the user if run interactively
Co-authored-by: Nils Adermann <naderman@naderman.de>
Seldaek
force-pushed
the
disable_plugins
branch
from
36eb43a to
6305a7d
Compare
Seldaek
force-pushed
the
disable_plugins
branch
2 times, most recently
from
bbd9cf3 to
55569a1
Compare
Seldaek
force-pushed
the
disable_plugins
branch
from
55569a1 to
b2da692
Compare
Seldaek
force-pushed
the
disable_plugins
branch
from
6cb5abe to
f262f47
Compare
|
Hey @Seldaek ,
I was just reviewing your PR and was wondering why you put the timing check in the code, instead of using versioning. Otherwise people could stick with old versions (of course they should not do that), instead of faking their system time to make plugins work without configuration anymore :) |
|
@bmack why would anyone want to do this though? I mean if you really don't care for security you can do |
|
@Seldaek well, personally, I'd never do such things (but you know, people come up with stupid ideas to solve their issues). Also: I'd never put this in a global setting at all (my CI wouldn't have the plugins enabled, but I have it in my global config - would lead to inconsistencies), but I see this 100% on a per-project config level, and love it. Doing this switch not via versioning but by date seems odd. I just wondered why we shouldn't stick to sem-ver here, instead of going with a fixed date "deadline". In any case: Thanks a bunch, very much looking forward to this! |
|
@bmack We want this in 2.2 LTS so that this will apply to the majority of all users within a few months. As 2.3 is going to drop support for lots of old PHP versions, dependencies etc., we would have to introduce the requirement for allow-plugins in a 2.2.x release. But that would mean people who don't want the requirement have to stay on an outdated version missing bugfixes on the 2.2 LTS line, which we want to discourage them from doing. So instead it'll be timed and included in all 2.2 releases, and worst case as Jordi described it can be disabled. |
This PR was merged into the 4.4 branch. Discussion ---------- Add allow-plugins in the skeleton config Refs composer/composer#10314 For now, the default value in Composer is still to allow all plugins implicitly for BC. But the behavior will change in July 2022 to default to an empty list of allowed plugins. This PR has 2 effects: - it makes new project use the new Composer behavior directly instead of relying on the BC layer - it marks `symfony/flex` as an allowed plugin, as our skeleton is meant to be used with Flex The first point means that projects installing other composer plugins will need to mark them as allowed for them to run (but `composer update` running in an interactive shell will ask for that anyway) Commits ------- f757a29 Add allow-plugins in the skeleton config
|
Is there a command that can be run that will do nothing but prompt about updating the |
|
|
Fixes #5659
Still a few TODOs / open questions
/allow-pluginsshortlink on getcomposer.org