-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency patch resolution: Only allow patches from trusted dependencies #551
Comments
👋 Thanks for the idea! Please remember that this is an open source project - feature requests may or may not be implemented, and if they are, the timeline is unknown. If you need a guaranteed implementation or timeline, sponsorships are welcome! |
I'm on board. Maybe we can add another config value 'allow-dependency-patches' and have that act as an allow list if set. I don't want to have to set both. Having both set should probably be an error. |
Thanks!
Yes, that would also make this much better to maintain 👍 |
If I want to disable dependency patch resolution altogether: Edit: I guess I could cheat by doing |
You can just disable the resolver - no need to try to make an allow list work for that :) |
@cweagans I'd be happy to take a stab at adding |
No worries. Same thing here - I'll update here if I beat you to it! |
Can we clarify the intention of the |
Correct. If the option is NOT defined, all dependencies will be scanned for patches. If it IS defined, only the listed packages will be scanned. |
I'm so interested to having this option, something like allow-plugins but it could be called as we do have
as
Maybe in projects the support team could chose to add more patches.
|
@Natshah All composer patches config is nested inside of a As an aside, you might be interested in https://github.com/cweagans/composer-configurable-plugin/ as a replacement for this file: https://github.com/drupal/core-composer-scaffold/blob/11.x/ScaffoldOptions.php It handles getting config from composer.json + the environment, merging it all down into one location, and ensures that it's the right data type. It probably wouldn't be backwards compatible, but it might be an interesting thing to explore! |
Another use case here, again from Drupal-land. Now that Drupal CI is run on GitLab the template allows modules to express patches in their |
…rusted dependencies
…rusted dependencies
I think this is a very important feature, especially when i think about security, implemented this and PR |
While thinking about securely supporting patches, I'd like for example to only allow patches added in a local folder, and present in the first level of my composer.json. Edit: it seems on version2 no dependencies patches are running. So it fixes the problem for packages updating other packages. But still being able to fix the trusted sources of patches seems good. |
Verification
composer self-update
)composer update cweagans/composer-patches
)Is your feature request related to a problem?
I only allow patches from sources I trust.
By default
cweagans/composer-patches
seems to apply patches from any of my dependencies.Describe your proposed solution(s)
Describe alternatives
No response
Additional context
You will have less bug reports related to Dependency patch resolution if users are forced to know where they want to apply patches from.
However, I don't mind it -not my project- but I would need a way to opt-out and instead define the sources I trust myself.
The text was updated successfully, but these errors were encountered: