Simple composer script to manage phar files using project composer.json.

Last update: Aug 3, 2021

tooly-composer-script

Minimum PHP Version Latest Stable Version Total Downloads Build Status Build status SensioLabsInsight License Gitter

With tooly composer-script you can version needed PHAR files in your project's composer.json without adding them directly to a VCS,

  • to save disk space at vcs repository
  • to be sure that all developers in your project get the required toolchain
  • to prepare a CI/CD System
  • (optional) to automatically check the GPG signature verification for each tool

Every PHAR file will be saved in the composer binary directory.

Example

An real example can be found here.

Requirements

  • PHP >= 5.6
  • Composer

Install

To use the script execute the following command:

composer require --dev tm/tooly-composer-script

Then add the script in the composer.json under "scripts" with the event names you want to trigger. For example:

...
"scripts": {
    "post-install-cmd": "Tooly\\ScriptHandler::installPharTools",
    "post-update-cmd": "Tooly\\ScriptHandler::installPharTools"
  },
...

Look here for more informations about composer events.

Sample usage

The composer.json scheme has a part "extra" which is used for the script. Its described here.

In this part you can add your needed phar tools under the key "tools".

...
"extra": {
    ...
    "tools": {
      "phpunit": {
        "url": "https://phar.phpunit.de/phpunit-5.5.0.phar",
        "sign-url": "https://phar.phpunit.de/phpunit-5.5.0.phar.asc"
      },
      "phpcpd": {
        "url": "https://phar.phpunit.de/phpcpd-2.0.4.phar",
        "only-dev": true,
        "rename": true
      },
      "security-checker": {
        "url": "http://get.sensiolabs.org/security-checker.phar",
        "force-replace": true
      },
    }
    ...
  }
...

Parameters

url (required)

After you add the name of the tool as key, you need only one further parameter. The "url". The url can be a link to a specific version, such as x.y.z, or a link to the latest version for this phar.

rename (optional, default false)

Rename the downloaded tool to the name that is used as key.

sign-url (optional, default none)

If this parameter is set tooly checks if the PHAR file in url has a valid signature by comparing signature in sign-url.

This option is useful if you want to be sure that the tool is from the expected author.

Note: For the check you need a further requirement and a GPG binary in your $PATH variable.

You can add the requirement with this command: composer require tm/gpg-verifier

This check often fails if you dont has the public key from the tool author in your GPG keychain.

fallback-url (optional, default none)

This option is useful if you want to add an extra layer of stability to your daily build processes.

In case the required url is not accessible and a fallback-url is set, tooly uses the fallback url to download the phar file. The fallback url can be a link to a specific version, such as x.y.z, or a link to the latest version for this phar.

force-replace (optional, default false)

Every time you update or install with composer the phar tools are checked. You are asked if you want to overwrite the existing phar if the remote and local phar has not the same checksum.

Except you set this parameter.

This option is useful if you has a link to the latest version of a tool and always want a replacement. Or you run composer in non-interactive mode (for example in a CI system) and want a replacement.

But is also useful if some require-dev library has one of the tools as own requirement.

only-dev (optional, default true)

This parameter means that this phar is only needed in developing mode. So the command composer [install|update] --no-dev ignores this phar tool.

Note: Therefore tooly must be a no-dev requirement

A note to PhpStorm or other IDE users

To furthermore have auto-suggestion you should set the "include_path" option in the project. PhpStorm setting

Contributing

Please refer to CONTRIBUTING.md for information on how to contribute.

GitHub

https://github.com/tommy-muehle/tooly-composer-script
Comments
  • 1. Place downloaded PHARs in a .tooly/ folder

    This is a proposal

    Instead of downloading the .phar files directly to vendor/bin and creating symlinks in the same place, I suggest to download the .phar files to a tooly-specific folder, e.g. <ProjectDir>/.tooly/, and create a symlink from there to vendor/bin.

    .tooly/ should be the default name of the folder, which can be overwritten by a new config key in the extra section of composer.json like this:

    "extra": {
        "tooly-dir": "./.otherDir/",
        "tools": {
            "phpunit": {
                "url": "https://phar.phpunit.de/phpunit.phar",
                "only-dev": true
            }
        }
    }
    

    Advantages

    • Tooly would be able to prune obsolete .phar files, when removed from the extra/tools section in composer.json. This is currently not possible as there could be other files/symlinks under vendor/bin that were not created by tooly.
    • There would be a tooly-specific place for any future use, e.g. storing meta data or a composer-like .lock file.

    Disadvantages

    • One more folder in the project dir that needs to be added to .gitignore

    BC break

    No.

    Reviewed by hollodotme at 2016-08-10 21:26
  • 2. ISSUE-15: (Windows) Missed symlink to phar at bin folder

    Short description of what this resolves:

    Fixed Windows OS issue with bin folder

    Changes proposed in this pull request:

    • For Windows environments suggested using copy instead of symlinks

    Version: 1.x

    Fixes:

    Reviewed by inri13666 at 2019-01-30 12:06
  • 3. Force overwrite option

    I use tooly to load phpunit as phar. Some of my requirements also load phpunit, but via composer. Tooly runs as post command and composer has already created the phpunit file in my bin directory. The the post command asks, if I want to overwrite phpunit. How can I force this use case for a continuous integration server for example?

    Reviewed by freshp at 2016-07-13 09:43
  • 4. If bin dir does not exists composer install/update failed

    Expected behavior

    • Create bin dir if it does not exist and install tools

    Actual behavior

    • Installation failed with [ErrorException] scandir(/app/path/bin): failed to open dir: No such file or directory

    Steps to reproduce actual behavior

    • Delete bin dir and run composer update
    • Error occured into $this->removeFromDir()

    Other information (e.g. version, os system, stacktraces, etc)

    • tooly version 1.2.3
    Reviewed by mfuehrer82 at 2017-01-06 17:22
  • 5. Fix checksum of not accessible url using fall back url

    Short description of what this resolves:

    This commit addresses a fix for the FileAlreadyExistDecision.php for a not accessible url.

    Changes proposed in this pull request:

    In case the provided url is not accessible and the downloaded file already exists, a ErrorException sha1_file(http://notaccessible.url/version/tool.phar): failed to open stream: Operation timed out was thrown. This commit fixes this issue by adding an extra check for the accessibility of the url. If the url is not accessible, the fallback url is used for the checksum.

    Version: 1.4.0

    Fixes: #

    Reviewed by svenjungnickel at 2019-05-24 12:09
  • 6. scriptHandler removes bin/*.phar files from different packages

    When I have a dependency which installs a .phar file into bin directory, then during ScriptHandler::installPharTools the phar gets removed.

    Steps to reproduce:

    • Create composer.json:
    {
    	"name": "test/test",
    	"require": {},
    	"require-dev": {
    		"phpstan/phpstan-shim": "^0.9.2",
    		"tm/tooly-composer-script": "^1.2.5"
    	},
    	"scripts": {
    		"post-install-cmd": [
    			"Tooly\\ScriptHandler::installPharTools"
    		],
    		"post-update-cmd": [
    			"Tooly\\ScriptHandler::installPharTools"
    		]
    	}
    }
    
    • run composer install
    • vendor/bin now contains only phpstan file but phpstan/phpstan.shim package has two files specified in bin section of composer.json - https://github.com/phpstan/phpstan-shim/blob/master/composer.json#L11-L14

    Expected is that after composer install two files (phpstan and phpstan.phar) files are in vendor/bin directory.

    Reviewed by voda at 2018-03-07 12:35
  • 7. Bump composer/composer from 1.2.0 to 1.10.23

    Bumps composer/composer from 1.2.0 to 1.10.23.

    Release notes

    Sourced from composer/composer's releases.

    1.10.23

    • Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

    1.10.22

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    1.10.21

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    1.10.20

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    1.10.19

    • Fixed regression on PHP 8.0

    1.10.18

    • Allow installation on PHP 8.0

    1.10.17

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    1.10.16

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    1.10.15

    • Fixed path repo version guessing issue

    1.10.14

    • Fixed version guesser to look at remote branches as well as local ones
    • Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version
    • Fixed COMPOSER env var causing issues when combined with the global command
    • Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing)

    1.10.13

    • Fixed regressions with old version validation
    • Fixed invalid root aliases not being reported

    1.10.12

    • Fixed regressions with old version validation

    1.10.11

    • Fixed more PHP 8 compatibility issues
    • Fixed regression in handling of CTRL-C when xdebug is loaded
    • Fixed status handling of broken symlinks

    ... (truncated)

    Changelog

    Sourced from composer/composer's changelog.

    [1.10.23] 2021-10-05

    • Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

    [1.10.22] 2021-04-27

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    [1.10.21] 2021-04-01

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    [1.10.20] 2021-01-27

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    [1.10.19] 2020-12-04

    • Fixed regression on PHP 8.0

    [1.10.18] 2020-12-03

    • Allow installation on PHP 8.0

    [1.10.17] 2020-10-30

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    [1.10.16] 2020-10-24

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    [1.10.15] 2020-10-13

    • Fixed path repo version guessing issue

    [1.10.14] 2020-10-13

    • Fixed version guesser to look at remote branches as well as local ones
    • Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version
    • Fixed COMPOSER env var causing issues when combined with the global command
    • Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing)

    [1.10.13] 2020-09-09

    ... (truncated)

    Commits
    • eb3bae3 Release 1.10.23
    • ca5e2f8 Fix escaping issues on Windows which could lead to command injection, fixes G...
    • 1a994e4 Update deps
    • 32eb3b4 Update deps
    • a02802b Warn 1.x users when a package is not found that it may be due to our deprecat...
    • cd682f9 Update xdebug-handler to latest
    • 1cdbacb Update changelog
    • 083b735 Merge pull request from GHSA-h5h8-pc6h-jvvx
    • 4dc293b Update changelog
    • 96acad1 Update github token pattern to match their latest updates
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-10-05 21:06
  • 8. Bump composer/composer from 1.2.0 to 1.10.22

    Bumps composer/composer from 1.2.0 to 1.10.22.

    Release notes

    Sourced from composer/composer's releases.

    1.10.22

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    1.10.21

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    1.10.20

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    1.10.19

    • Fixed regression on PHP 8.0

    1.10.18

    • Allow installation on PHP 8.0

    1.10.17

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    1.10.16

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    1.10.15

    • Fixed path repo version guessing issue

    1.10.14

    • Fixed version guesser to look at remote branches as well as local ones
    • Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version
    • Fixed COMPOSER env var causing issues when combined with the global command
    • Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing)

    1.10.13

    • Fixed regressions with old version validation
    • Fixed invalid root aliases not being reported

    1.10.12

    • Fixed regressions with old version validation

    1.10.11

    • Fixed more PHP 8 compatibility issues
    • Fixed regression in handling of CTRL-C when xdebug is loaded
    • Fixed status handling of broken symlinks

    1.10.10

    • Fixed create-project not triggering events while installing the root package

    ... (truncated)

    Changelog

    Sourced from composer/composer's changelog.

    [1.10.22] 2021-04-27

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    [1.10.21] 2021-04-01

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    [1.10.20] 2021-01-27

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    [1.10.19] 2020-12-04

    • Fixed regression on PHP 8.0

    [1.10.18] 2020-12-03

    • Allow installation on PHP 8.0

    [1.10.17] 2020-10-30

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    [1.10.16] 2020-10-24

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    [1.10.15] 2020-10-13

    • Fixed path repo version guessing issue

    [1.10.14] 2020-10-13

    • Fixed version guesser to look at remote branches as well as local ones
    • Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version
    • Fixed COMPOSER env var causing issues when combined with the global command
    • Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing)

    [1.10.13] 2020-09-09

    • Fixed regressions with old version validation
    • Fixed invalid root aliases not being reported

    [1.10.12] 2020-09-08

    ... (truncated)

    Commits
    • 28c9dfb Release 1.10.22
    • cd682f9 Update xdebug-handler to latest
    • 1cdbacb Update changelog
    • 083b735 Merge pull request from GHSA-h5h8-pc6h-jvvx
    • 4dc293b Update changelog
    • 96acad1 Update github token pattern to match their latest updates
    • 54889ca Document GH token usage and also make sure we redact them in Process debug ou...
    • dc83ba9 Update GitHub token pattern
    • 06003f4 Update release step to use php8 as it produces slightly different output wrt ...
    • 812207c Merge pull request #9695 from Seldaek/avoid-invalid-dir
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-04-29 22:16
  • 9. Add possibility to set a fallback url

    Short description of what this resolves:

    This commit allows to set a fallback url in case the provided url is not accessible.

    Changes proposed in this pull request:

    That is triggered by setting the key "fallback-url" for the element like this:

    "tool" : {
        "url" : "https://not-accessible-url/tool.phar",
        "fallback-url" : "https://fallback-url/tool.phar"
    }
    

    In case the provided url is not accessible, the code will check for the fallback-url key and if set, the fallback url will be checked for accessibility and used to download the asset. Otherwise it displays the error message At least one given URL are not accessible!.

    Fixes: #

    Reviewed by svenjungnickel at 2019-05-08 08:25
  • 10. (Windows) Missed symlink to phar at bin folder

    Expected behavior

    php-cs-fixer.phar apears at bin folder

    Actual behavior

    bin folder is empty

    Steps to reproduce actual behavior

    1. Create dummy composer.json with the following content
    {
      "name": "akuma/test1",
      "authors": [
        {
          "name": "Nikita Makarov",
          "email": "[email protected]"
        }
      ],
      "require": {},
      "require-dev": {
        "tm/tooly-composer-script": "^1.2"
      },
      "config": {
        "bin-dir": "bin"
      },
      "extra": {
        "tools": {
          "php-cs-fixer": {
            "url": "https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.13.1/php-cs-fixer.phar",
            "only-dev": true,
            "force-replace": true
          }
        }
      },
      "scripts": {
        "post-install-cmd": "Tooly\\ScriptHandler::installPharTools",
        "post-update-cmd": "Tooly\\ScriptHandler::installPharTools"
      }
    }
    
    1. execute composer install --dev , UAC disabled and cmd terminal started as for Administrator

    Other information (e.g. version, os system, stacktraces, etc)

    systeminfo | findstr /B /C:"OS Version" /C:"System Type" /C:"System Locale"

    OS Version:                10.0.17763 N/A Build 17763
    System Type:               x64-based PC
    System Locale:             en-us;English (United States)
    

    php -i | findstr /B /C:"PHP Version" /C:"Architecture" /C:"Compiler" /C:"Configure Command" /C:"Zend Extension Build"

    PHP Version => 7.1.26
    Compiler => MSVC14 (Visual C++ 2015)
    Architecture => x64
    Configure Command => cscript /nologo configure.js  "--enable-snapshot-build" "--enable-debug-pack" "--with-pdo-oci=c:\php-snap-build\deps_aux\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8-12c=c:\php-snap-build\deps_aux\oracle\x64\instantclient_12_1\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet=shared" "--with-mcrypt=static" "--without-analyzer" "--with-pgo"
    Zend Extension Build => API320160303,TS,VC14
    
    Reviewed by inri13666 at 2019-01-30 11:18
  • 11. Check symlink creation in no-dev mode

    If composer executed in "--no-dev" mode only symlink's to non only-dev tools should be created. Actually symlinks to all existing PHAR tools are created.

    Reviewed by tommy-muehle at 2016-09-12 08:39
  • 12. Bump composer/composer from 1.2.0 to 1.10.26

    Bumps composer/composer from 1.2.0 to 1.10.26.

    Release notes

    Sourced from composer/composer's releases.

    1.10.26

    • Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)

    1.10.25

    • Fixed selfupdate on Windows + PHP 8.1 regression (#10446)

    1.10.24

    1.10.23

    • Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

    1.10.22

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    1.10.21

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    1.10.20

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    1.10.19

    • Fixed regression on PHP 8.0

    1.10.18

    • Allow installation on PHP 8.0

    1.10.17

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    1.10.16

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    1.10.15

    • Fixed path repo version guessing issue

    1.10.14

    • Fixed version guesser to look at remote branches as well as local ones
    • Fixed path repositories version guessing to handle edge cases where version is different from the VCS-guessed version
    • Fixed COMPOSER env var causing issues when combined with the global command
    • Fixed a few issues dealing with PHP without openssl extension (not recommended at all but sometimes needed for testing)

    ... (truncated)

    Changelog

    Sourced from composer/composer's changelog.

    [1.10.26] 2022-04-13

    • Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)

    [1.10.25] 2022-01-21

    • Fixed selfupdate on Windows + PHP 8.1 regression (#10446)

    [1.10.24] 2021-12-09

    [1.10.23] 2021-10-05

    • Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

    [1.10.22] 2021-04-27

    • Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)

    [1.10.21] 2021-04-01

    • Fixed support for new GitHub OAuth token format
    • Fixed processes silently ignoring the CWD when it does not exist

    [1.10.20] 2021-01-27

    • Fixed exclude-from-classmap causing regex issues when having too many paths
    • Fixed compatibility issue with Symfony 4/5

    [1.10.19] 2020-12-04

    • Fixed regression on PHP 8.0

    [1.10.18] 2020-12-03

    • Allow installation on PHP 8.0

    [1.10.17] 2020-10-30

    • Fixed Bitbucket API authentication issue
    • Fixed parsing of Composer 2 lock files breaking in some rare conditions

    [1.10.16] 2020-10-24

    • Added warning to validate command for cases where packages provide/replace a package that they also require
    • Fixed JSON schema validation issue with PHPStorm
    • Fixed symlink handling in archive command

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-04-22 20:44
  • 13. Bump phpunit/phpunit from 5.5.4 to 5.7.27

    Bumps phpunit/phpunit from 5.5.4 to 5.7.27.

    Changelog

    Sourced from phpunit/phpunit's changelog.

    [5.7.27] - 2018-02-01

    Fixed

    • Fixed #2236: Exceptions in tearDown() do not affect getStatus()
    • Fixed #2950: Class extending PHPUnit\Framework\TestSuite does not extend PHPUnit\FrameworkTestCase
    • Fixed #2972: PHPUnit crashes when test suite contains both .phpt files and unconventionally named tests

    [5.7.26] - 2017-12-17

    Fixed

    • Fixed #2472: PHPUnit\Util\Getopt uses deprecated each() function
    • Fixed #2833: Test class loaded during data provider execution is not discovered
    • Fixed #2922: Test class is not discovered when there is a test class with @group and provider throwing exception in it, tests are run with --exclude-group for that group, there is another class called later (after the class from above), and the name of that another class does not match its filename

    [5.7.25] - 2017-11-14

    Fixed

    [5.7.24] - 2017-11-14

    Fixed

    • Fixed #2833: Test class loaded during data provider execution is not discovered

    [5.7.23] - 2017-10-15

    Fixed

    • Fixed #2731: Empty exception message cannot be expected

    [5.7.22] - 2017-09-24

    Fixed

    • Fixed #2769: Usage of setUseErrorHandler() produces Undefined variable error

    [5.7.21] - 2017-06-21

    Added

    • Added PHPUnit\Framework\AssertionFailedError, PHPUnit\Framework\Test, and PHPUnit\Framework\TestSuite to the forward compatibility layer for PHPUnit 6

    Fixed

    • Fixed #2705: stderr parameter in phpunit.xml always considered true

    ... (truncated)

    Commits
    • b7803ae Prepare release
    • 63f3e4a Update Composer to 1.6.3
    • 023f4f0 Allow failures on PHP 7.2 and PHP 7.3
    • e92a128 Update ChangeLog
    • d125b4e Make this compatible with PHPUnit 5.7
    • 63f2fec code style requires a namespace
    • 20ffc44 typo
    • 853e43c Fix: PHPUnit shouldn't fail when a test suite contains both *.phpt files and ...
    • 7d1494a Update tools
    • 32f4c99 Update Composer to 1.6.2
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-03-26 00:47
  • 14. 2 Issues with `rename`: `must be absolute paths` and downloads _always_ have `.phar` extension

    I am using rename, e.g.

    "phpcs": {
            "url": "https://github.com/squizlabs/PHP_CodeSniffer/releases/download/3.5.5/phpcs.phar",
            "rename": true
          }
    

    This currently (1.4.1) fails due to two issues:

    1. The composer (1.10.5) tooling for symlinks require absolute paths (this may be a change on their side, I did not investigate). When using rename the $filename is set to a plain name, phpcs in my example, when it should be /some/path/vendor/bin/phpcs.
    2. (After fixing 1) process always downloads files with a .phar extension, so that symlinkOrCopy produces dangling symlinks for my example, e.g. phpcs -> ../tm/tooly-composer-script/bin/phpcs, when the downloaded file is forced to be ../tm/tooly-composer-script/bin/phpcs.phar.

    My proposed patch:

    diff -Naur tooly-composer-script/src/Script/Processor.php tooly-composer-script-patch/src/Script/Processor.php
    --- tooly-composer-script/src/Script/Processor.php	2019-06-24 22:52:52.000000000 +0200
    +++ tooly-composer-script-patch/src/Script/Processor.php	2020-05-05 17:38:06.726662222 +0200
    @@ -101,10 +101,11 @@
     
             $filename = $tool->getFilename();
             if ($tool->renameToConfigKey()) {
    -            $filename = $tool->getName();
    +            $filename = dirname($filename) . DIRECTORY_SEPARATOR . $tool->getName();
             }
             $composerDir = $this->configuration->getComposerBinDirectory();
             $composerPath = $composerDir . DIRECTORY_SEPARATOR . basename($filename);
    +        $filename = str_replace('.phar', '', $filename) . '.phar';
     
             if (Platform::isWindows()) {
                 $this->helper->getFilesystem()->copyFile($filename, $composerPath);
    
    Reviewed by RobertKosten at 2020-05-05 15:51
  • 15. Function ReflectionType::__toString() is deprecated on PHPUnit 5.7 with PHP 7.4

    Expected behavior

    • No error on PHPUnit execution.

    Actual behavior

    Function ReflectionType::__toString() is deprecated
    

    Steps to reproduce actual behavior

    • Using the PHPUnit 5.7 to execute unit tests on php-7.4 version.

    Current solutions

    • Upgrading different PHPUnit versions for php-7.4 version.
    • Defining different PHP versions to support different PHP versions.
    Reviewed by peter279k at 2020-03-24 16:30
  • 16. Test enhancement

    Short description of what this resolves:

    • Test enhancement

    Changes proposed in this pull request:

    • According to the PHPUnit fixtures, the setUp method is protected, not public.
    • Using the PHPUnit\Framework\TestCase namespace.
    • Removing unnecessary namespace declarations.

    Version: 1.x

    Reviewed by peter279k at 2020-03-24 16:19
:musical_note: Provides a composer plugin for normalizing composer.json.
:musical_note: Provides a composer plugin for normalizing composer.json.

composer-normalize Provides a composer plugin for normalizing composer.json. Why When it comes to formatting composer.json, you have the following opt

May 28, 2022
Simple static Composer repository generator - For a full private Composer repo use Private Packagist

Satis Simple static Composer repository generator. Run from source Satis requires a recent PHP version, it does not run with unsupported PHP versions.

May 25, 2022
Easily parse your project's Composer configuration, and those of its dependencies, at runtime

Composed This library provides a set of utility functions designed to help you parse your project's Composer configuration, and those of its dependenc

Apr 11, 2021
composer parallel install plugin
composer parallel install plugin

prestissimo (composer plugin) This is a composer 1.x plugin that downloads packages in parallel to speed up the installation process. Announcement: Co

May 20, 2022
Check your Composer dependencies at runtime.

Composition Composition provides a lightweight and generic API, that you can use to check your environment at runtime, instead of manually go checking

May 4, 2021
Patch other composer packages on install or update

patch-installer Patch other composer packages on install or update. experimental feature Usage For a patch type change the install path to vendor dire

Apr 11, 2021
A no-frills PsySH-Composer plugin
A no-frills PsySH-Composer plugin

uma/composer-psysh A no-frills PsySH-Composer plugin. In a nutshell, it provides a composer psy subcommand that spawns a Psy Shell with autoload integ

May 23, 2022
Satis-go is a web server for hosting and managing your Satis Repository for Composer Packages

Satis-go download latest Satis-go is a web server for hosting and managing your Satis Repository for Composer Packages Some Highlights: Satis-go provi

Dec 14, 2021
Component for reading phar.io manifest information from a PHP Archive (PHAR)

Manifest Component for reading phar.io manifest information from a PHP Archive (PHAR). Installation You can add this library as a local, per-project d

May 19, 2022
A Composer script to run a 'test' or 'spec' Composer script against multiple PHP versions.

composer-multitest composer-multitest is a Composer script that runs a test or spec Composer script against multiple PHP versions managed by PHPBrew o

Aug 27, 2019
JSONFinder - a library that can find json values in a mixed text or html documents, can filter and search the json tree, and converts php objects to json without 'ext-json' extension.

JSONFinder - a library that can find json values in a mixed text or html documents, can filter and search the json tree, and converts php objects to json without 'ext-json' extension.

Apr 15, 2022
Merge one or more additional composer.json files at Composer runtime

Composer Merge Plugin Merge multiple composer.json files at Composer runtime. Composer Merge Plugin is intended to allow easier dependency management

May 16, 2022
PHP Phar Stream Wrapper

Based on Sam Thomas' findings concerning insecure deserialization in combination with obfuscation strategies allowing to hide Phar files inside valid image resources, the TYPO3 project decided back then to introduce a PharStreamWrapper to intercept invocations of the phar:// stream in PHP and only allow usage for defined locations in the file system.

Mar 25, 2022
The Phar Installation and Verification Environment (PHIVE)

The Phar Installation and Verification Environment (PHIVE) Installation and verification of phar distributed PHP applications has never been this easy

May 13, 2022
A library for simplifying the PHAR build process.

Box is a library built on the Phar class. It is designed to make it easier to create new phars and modifying existing ones. Features include compacting source files, better custom stub generation, and better OpenSSL signing handling.

May 16, 2022
Allows generate class files parse from json and map json to php object, including multi-level and complex objects;

nixihz/php-object Allows generate class files parse from json and map json to php object, including multi-level and complex objects; Installation You

Oct 29, 2021
All In 1 Spam Tool For Termux Users Subscribe Us (Noob Hackers) some shit heads are trying to abuse this script so don't worry about them ...let them hallucinate ...but you are free to use this script
All In 1 Spam Tool For Termux Users Subscribe Us (Noob Hackers) some shit heads are trying to abuse this script so don't worry about them ...let them hallucinate ...but you are free to use this script

ABOUT TOOL : SPAMX is a all in one Bombing+Spam tool from this tool you can send anonymous messages to your target without showing your real number an

May 16, 2022
HiDomainer One-File Domain Portfolio Script, is a PHP script of only 8kb.
HiDomainer One-File Domain Portfolio Script, is a PHP script of only 8kb.

HiDomainer One-File Domain Portfolio Script, is a PHP script of only 8kb. Download Feature 1. PC and Mobile Friendly 2. Data management without page r

Mar 2, 2022
A simple script i made that generate a valid http(s) proxy in json format with its geo-location info

Gev Proxy Generator GPG is a simple PHP script that generate a proxy using free services on the web, the proxy is HTTP(s) and it generate it in json f

Nov 15, 2021
Site-builder is a simple static site generator. It allows you to create and manage a website out of simple text files and templates.

Site-builder is a simple static site generator. It allows you to create and manage a website out of simple text files and templates. This gives you many of the advantages of a CMS, but because the result is plain old HTML, it's more secure and has higher performance.

May 24, 2022