Prevents development packages from being added into require and getting into production environment.

Overview

production-dependencies-guard

Prevents development packages from being added into require and getting into production environment. In practical field prevents e.g. debug tool-bars deployment into production environments.

Additionally, you can configure the guard to decline packages with missing/unfit license, abandoned or mentioning debug in description and analyze packages on basis of composer.lock (deeper analysis).

Installation

composer require --dev kalessil/production-dependencies-guard:dev-master

Configuration

Additional guard checks can be enabled in the top-level composer.json file:

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",
            
            "white-list:vendor/package-one",
            "white-list:vendor/package-two",
            
            "accept-license:MIT",
            "accept-license:proprietary"
        ]
    }
}
  • white-list:... adds a package to white-list, so it's not getting reported in spite of violations
  • check-lock-file uses composer.lock instead of composer.json, allowing deeper dependencies analysis
  • check-description enables description and keywords analysis (searches debug), allowing to detect custom dev-packages
  • check-abandoned enables abandoned packages checking
  • check-license enables license checking (packages must provide license information)
  • accept-license:... specifies which licenses should be accepted (if the setting omitted, any license incl. proprietary)

Usage

When the package is added to require-dev section of your composer.json file ("kalessil/production-dependencies-guard": "dev-master"), it'll prevent adding dev-packages into require section. Since dev-packages has no security guaranties (not intended for production use, only development purposes), this also improves your application security.

composer require --dev kalessil/production-dependencies-guard:dev-master

composer require phpunit/phpunit:*
# it should be `composer require --dev phpunit/phpunit:*` here

will run with an error (profit!):

./composer.json has been updated

Installation failed, reverting ./composer.json to its original content.

[RuntimeException]                                                                   
  Dependencies guard has found violations in require-dependencies (source: manifest):  
   - phpunit/phpunit: dev-package-name

Stability

This package is only available in its dev-master version: according to the package purpose.

Comments
  • Composer 2 support

    Composer 2 support

    I see this error message:

    kalessil/production-dependencies-guard dev-master requires composer-plugin-api ^1.1 -> found composer-plugin-api[2.0.0] but it does not match the constraint.
    
    You are using Composer 2, which some of your plugins seem to be incompatible with. Make sure you update your plugins or report a plugin-issue to ask them to support Composer 2.
    
    opened by voku 5
  • FR: add white-list options ('white-list:vendor/package1', 'white-list:vendor/package2')

    FR: add white-list options ('white-list:vendor/package1', 'white-list:vendor/package2')

    I am thinking of a use-case like this: I am developing an add-on for a development tool, let's say CaptainHook. CaptainHook is clearly a development tool and is tagged in such a way. That way I could not install it as a require dependency in my application project. However, in case I want to develop an extension for CaptainHook, I need to add the CaptainHook package to the require section of my extension so that composer install is working fine. But since CaptainHook is marked a development dependency, this would fail when your plugin is enabled. Or am I missing the point?

    opened by shochdoerfer 5
  • Is there any way to declare own protected dependecies list?

    Is there any way to declare own protected dependecies list?

    Currently, it check and prevent to install dependencies declared in Repository, so if someone create library for dev purpose,than he, or community should add PR with new package in this repo. But what about internal project packages for dev, that often has created for big complex projects

    opened by Insolita 5
  • PHP 8 support

    PHP 8 support

    Hi,

    The current composer.json PHP requirement for ^7.0 blocks upgrading to PHP 8. Is it possible to expand to ^7.0|^8.0 or are there any known incompatibilities?

    Thanks!

    opened by SunMar 2
  • accept-licence: any-open-source wildcard

    accept-licence: any-open-source wildcard

    It would be very useful if you could add something like accept-licence: any-open-source which would be same as accepting all the versions of open source licences. I have this is my list and it is a bit bothering to maintain it.

          "accept-license:Apache-2.0",
          "accept-license:BSD-2-Clause",
          "accept-license:BSD-3-Clause",
          "accept-license:GPL-2.0",
          "accept-license:GPL-2.0-only",
          "accept-license:GPL-3.0",
          "accept-license:GPL-3.0-only",
          "accept-license:ISC",
          "accept-license:LGPL-2.1-or-later",
          "accept-license:LGPL-3.0",
          "accept-license:MIT",
    
    opened by josefsabl 2
  • Show

    Show "composer why" among dev-package

    This error is shown:

     [RuntimeException]                                                                    
      Dependencies guard has found violations in require-dependencies (source: lock-file):  
       - symfony/debug: dev-package-name  
    

    But I did not require this package so I need to ask composer why . It would be great if the error message already shows that symfony/console brought this upon us.

    Aside: A bit sad that everything gets block due to symfony/console .

    opened by ScreamingDev 2
  • Allow missing license

    Allow missing license

    Using PDG (production-dependencies-guard) in existing projects stops the whole team because after installing and setting the config like this:

    "production-dependencies-guard": [
          "check-description",
          "check-license"
        ]
    

    You get lots of errors:

    Dependencies guard has found violations in require-dependencies (source: manifest):
    foo missing-license

    Please add an option to ignore missing license. Otherwise we would have to add almost 13 packages to whitelist by now.

    opened by ScreamingDev 2
  • Don't run on self removal

    Don't run on self removal

    Our CI installs composer packages with dev deps, prepares blobs for release and then removes dev packages to produce release image without them. Unfortunately, production-dependencies-guard plugin tries to run itself after it's been removed.

    $ composer install
    # do some work using dev packages………………………………… and then remove them
    $ composer install --prefer-dist --no-dev --optimize-autoloader --no-suggest --apcu-autoloader
    Loading composer repositories with package information
    Installing dependencies from lock file
    Package operations: 0 installs, 0 updates, 84 removals
    ……………………………… lots of packages removed
      - Removing localheinz/composer-normalize (0.9.0)
      - Removing kalessil/production-dependencies-guard (dev-master)
    ……………………………… lots of packages removed
    Generating optimized autoload files
    
    Fatal error: Uncaught Error: Class 'Kalessil\Composer\Plugins\ProductionDependenciesGuard\Suppliers\FromComposerManifestSupplier' not found in /tmp/build/vendor/kalessil/production-dependencies-guard/src/Guard.php:105
    Stack trace:
    #0 [internal function]: Kalessil\Composer\Plugins\ProductionDependenciesGuard\Guard->checkGeneric(Object(Composer\Script\Event))
    #1 phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php(176): call_user_func(Array, Object(Composer\Script\Event))
    #2 phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php(96): Composer\EventDispatcher\EventDispatcher->doDispatch(Object(Composer\Script\Event))
    #3 phar:///usr/bin/composer/src/Composer/Installer.php(324): Composer\EventDispatcher\EventDispatcher->dispatchScript('post-install-cm...', false)
    #4 phar:///usr/bin/composer/src/Composer/Command/InstallCommand.php(122): Composer\Installer->run()
    #5 phar:///usr/bin/composer/vendor/symfony/console/Command/Command.php(245): Composer\Command\InstallCommand->execute(Object(Sym in /tmp/build/vendor/kalessil/production-dependencies-guard/src/Guard.php on line 105
    
    bug 
    opened by b1rdex 1
  • Misc improvements

    Misc improvements

    Hi, I took a bit of time to add some features and update the code and tests. Let me know if this looks ok, if you see any issues and would like be to change something let me know!

    • allow configuration of guards per package (#17)
    • in case of multiple licenses, accept any instead of require all (#18)
    • symfony/debug and symfony/var-dumper are no longer whitelisted, only the description/keyword guard will not trigger on them (if they ever get abandoned, or a license is changed, those guards will trigger)
    • add symfony/error-handler to the ignore list of the description/keyword guard (is a production package, pulled in by f.ex. the Laravel framework)
    • fix mikey179/vfsstream not being detected as dev package (#19)
    • update test dependencies to the latest versions
    • add CodeSniffer test for PHP compatibility with version >= 7.0
    opened by SunMar 0
  • check-license requires all instead of only one when license is an array

    check-license requires all instead of only one when license is an array

    Hi,

    Today I ran into an issue when the license of a package is an array. In the composer.json documentation the following is said about using an array for the license:

    For a package, when there is a choice between licenses ("disjunctive license"), multiple can be specified as array.

    So you can choose which license you want to use. Based on that my expectation would be that the check-license guard will consider the license of a package valid if at least one of its licenses is allowed via accept-license:. However it seems right now that the check-license guard is instead requiring that all the licenses in the array are allowed via accept-license:.

    This creates a problem with for example the nette/utils package which allows you to use either a BSD 3-Clause, GPL 2.0 or GPL 3.0 license. If you don't want to allow GPL, but are fine with BSD 3-Clause, the guard (incorrectly) blocks the package from installing. This also prevents you from installing Laravel because nette/utils is an indirect dependency for Laravel.

    A quick way to reproduce is to start a docker container using docker run -it --rm php:8.0-cli bash -l and then running:

    apt-get update -qq
    apt-get install -qq -y git unzip jq moreutils > /dev/null
    curl -s -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar
    chmod +x /usr/local/bin/composer
    mkdir -p /app
    cd /app
    composer require --quiet --dev kalessil/production-dependencies-guard:dev-master
    
    echo -e "\n==========> nette/utils is rejected even though BSD-3-Clause is an accepted license\n"
    jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause"]}}' composer.json | sponge composer.json
    jq '.' composer.json
    composer require --quiet nette/utils
    
    echo -e "\n==========> nette/utils is allowed because we're accepting all three licenses BSD-3-Clause, GPL-2.0-only and GPL-3.0-only\n"
    jq '. * {"extra":{"production-dependencies-guard":["check-license","accept-license:BSD-3-Clause","accept-license:GPL-2.0-only","accept-license:GPL-3.0-only"]}}' composer.json | sponge composer.json
    jq '.' composer.json
    composer require --quiet nette/utils
    
    echo -e "\n==========> laravel/framework is not allowed with check-lock-file because it depends on nette/utils even though we are allowing the minimum licenses needed\n"
    jq '. * {"extra":{"production-dependencies-guard":["check-lock-file","check-license","accept-license:MIT","accept-license:BSD-3-Clause","accept-license:Apache-2.0"]}}' composer.json | sponge composer.json
    jq '.' composer.json
    composer require --quiet laravel/framework
    
    opened by SunMar 0
  • Whitelist ability to specify specific guards

    Whitelist ability to specify specific guards

    Hi,

    First I want to say that I love this composer plugin. It really helps keeping track of not accidentally installing a bad license or an abandoned package. The check-description guard is something I like too, but is something that feels a bit conflicting with the whitelist. There are some packages that I'd like to whitelist (for example symfony/error-handler because it's included as a non-dev requirement by Laravel but the guard blocks it as it thinks it's a debug only package). However I'd only like to whitelist that package for the check-description guard, not for the check-abandoned or the check-license guards. If for some reason the package becomes abandoned, or they change the license, installation should be blocked.

    So maybe the white-list options can be expanded for example like so:

    {
        "name": "...",
    
        "extra": {
            "production-dependencies-guard": [
                "check-lock-file",
                "check-description",
                "check-license",
                "check-abandoned",
                
                "white-list:vendor/package-one:license,abandoned",
                "white-list:vendor/package-two",
                
                "accept-license:MIT"
            ]
        }
    }
    

    A change like this could be backwards compatible, where vendor/package-two still uses all guards, but vendor/package-one will only trigger when checking the license or when it's abandoned.

    opened by SunMar 2
  • FR: Dedicated run

    FR: Dedicated run

    Right now this is an extension to composer and hooking into it. Running these assertions in CI is not very easy. So having a dedicated config file or some command to run specific configs during CI would be great.

    • We rather have such blocking tools decoupled in CI than blocking a developers interest in finding out interesting stuff.
    • This is currently possible by putting the extra-config in the repo but running composer require ... and composer update in the CI.
    • But there are multiple scenarios:
      • Our SAST-CI wants to go for check-abandoned only.
      • Our Compliance-CI wants to go for plenty other checks.
      • The Compliance-CI shall fail on check-lock-file but pass with warning for check-description
      • This makes it 3 different configs.
      • By now we store different configs as JSON and merge them during CI (jq -s '.[0] * .[1]' composer.json pdg-sast.json | sponge composer.json)
    • So having different configs is possible but not native by this package.

    Here you go. This is what I thought about it yesterday :) Focus is on a dedicated command for CI and allow the dev to try things.

    opened by ScreamingDev 1
Owner
Vladimir Reznichenko
Vladimir Reznichenko
A Blade component to quickly login to your local environment

Quickly login to your local environment When developing an app that has an admin section (or any non-public section), you'll likely seed test users to

Spatie 233 Dec 22, 2022
Basic Authentication handler for the JSON API, used for development and debugging purposes

Basic Authentication handler This plugin adds Basic Authentication to a WordPress site. Note that this plugin requires sending your username and passw

WordPress REST API Team 667 Dec 31, 2022
Laravel package to easily login as other users during development.

A Laravel 5.4 utility package to enable developers to log in as other users during development. Installation To install the package, simply follow the

VIA Creative 555 Jan 8, 2023
Helps you securely setup a master password and login into user accounts with it.

?? Make your Login form smart in a minute! Built with ❤️ for every smart laravel developer Helps you set a master password in .env file and login into

Iman 341 Jan 1, 2023
Sign into your Flarum forum with your Amazon account

Log In With Amazon A Flarum extension. Log in to your Flarum forum with Amazon. An addon for FoF OAuth Installation Install with composer: composer re

Ian Morland 0 May 4, 2022
PHPAuth is a secure PHP Authentication class that easily integrates into any site.

PHPAuth is under going a complete rewrite to bring the code up to date, the project has been on hold for way to long time now and I decided to work on it again making sure EVERYONE can use it and not just advanced programmers.

PHPAuth 855 Jan 3, 2023
This plugin integrates OAuth2 functionality into Guzzle Bundle

Guzzle Bundle OAuth2 Plugin This plugin integrates OAuth2 functionality into Guzzle Bundle, a bundle for building RESTful web service clients. Prerequ

Vlad Gregurco 12 Oct 30, 2022
Simple user-authentication solution, embedded into a small framework.

HUGE Just a simple user authentication solution inside a super-simple framework skeleton that works out-of-the-box (and comes with an auto-installer),

Chris 2.1k Dec 6, 2022
Open source social sign on PHP Library. HybridAuth goal is to act as an abstract api between your application and various social apis and identities providers such as Facebook, Twitter and Google.

Hybridauth 3.7.1 Hybridauth enables developers to easily build social applications and tools to engage websites visitors and customers on a social lev

hybridauth 3.3k Dec 23, 2022
PHP library to verify and validate Apple IdentityToken and authenticate a user with Apple ID.

Sign-in with Apple SDK Installation Recommended and easiest way to installing library is through Composer. composer require azimolabs/apple-sign-in-ph

Azimo Labs 79 Nov 8, 2022
PHP Client and Router Library for Autobahn and WAMP (Web Application Messaging Protocol) for Real-Time Application Messaging

Thruway is an open source client and router implementation of WAMP (Web Application Messaging Protocol), for PHP. Thruway uses an event-driven, non-blocking I/O model (reactphp), perfect for modern real-time applications.

Voryx 662 Jan 3, 2023
UserFrosting is a secure, modern user management system written in PHP and built on top of the Slim Microframework, Twig templating engine, and Eloquent ORM.

UserFrosting is a secure, modern user management system written in PHP and built on top of the Slim Microframework, Twig templating engine, and Eloquent ORM.

UserFrosting 1.6k Jan 1, 2023
User registration and login form with validations and escapes for total security made with PHP.

Login and Sign Up with PHP User registration and login form with validations and escapes for total security made with PHP. Validations Required fields

Alexander Pérez 2 Jan 26, 2022
A complete Login and Register page using a Mysql Database and php

Login With Mysql A complete Login and Register page using a Mysql Database ?? Built with ⚙️ ?? Description A login with Frontend, Backend and Database

Marc Medrano 1 Nov 5, 2021
Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system.

Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system. Built on Bootstrap 4.

Jeremy Kenedy 2.8k Dec 31, 2022
It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session and API Authentication

About Auth Starter It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session an

Sami Alateya 10 Aug 3, 2022
Tech-Admin is Laravel + Bootstrap Admin Panel With User Management And Access Control based on Roles and Permissions.

Tech-Admin | Laravel 8 + Bootstrap 4 Tech-Admin is Admin Panel With Preset of Roles, Permissions, ACL, User Management, Profile Management. Features M

TechTool India 39 Dec 23, 2022
Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Introduction Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use. Official Documentation Documenta

The Laravel Framework 3.1k Dec 31, 2022
A simple library to work with JSON Web Token and JSON Web Signature

JWT A simple library to work with JSON Web Token and JSON Web Signature based on the RFC 7519. Installation Package is available on Packagist, you can

Luís Cobucci 6.8k Jan 3, 2023