Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge in config / allow-plugins #229

Open
FlorianSW opened this issue Feb 25, 2022 · 3 comments
Open

Merge in config / allow-plugins #229

FlorianSW opened this issue Feb 25, 2022 · 3 comments

Comments

@FlorianSW
Copy link
Member

Right now, suppose there is a root composer.json with the following peroperties set:

{
  "config": {
    "allow-plugins": {
      "some-plugin": true
    }
  },
  "extra": {
      "merge-plugin": {
          "include": [
              "composer.local.json"
          ],
          "recurse": true,
          "replace": false,
          "ignore-duplicates": false,
          "merge-dev": true,
          "merge-extra": false,
          "merge-extra-deep": false,
          "merge-scripts": false
      }
  }
}

(simplified)

and the following composer.local.json:

{
  "require": {
    "composer/installers": ">=1.0.1"
  },
  "config": {
    "allow-plugins": {
      "some-plugin": true
    }
  }
}

Running composer update with this setup will try to install the composer/installers plugin. However, as it is not mentioned in the main allow-plugins section, the user will be prompted to decide if this plugin is allowed to be installed or not.

The composer-merge plugin should merge in the allow-plugins config from included into the main one. However, I'm not quite sure on what level: Should it be only the allow-plugins property, which probably would be fine to do unconditionally. If it would make sense to consider the whole config property, it would most likely make sense to have a merge-config (or alike) config for the merge-plugin, like it is already present for the extra and scripts properties.
@reedy
Copy link
Member

reedy commented Feb 25, 2022

For reference, allow-plugins is new in composer 2.2 - https://getcomposer.org/doc/06-config.md#allow-plugins

https://blog.packagist.com/composer-2-2/

@Querela
Copy link

Querela commented Apr 12, 2022

I also just now found this issue.
Docker mediawiki version mediawiki:1.37.2 adds support for composer 2.2+ according to release notes (before only composer 2.1.14 worked with MW 1.37.1).
But the new security setting blocks installation for e.g. SemanticMediaWiki which currently can only be installed with composer when I try to use a composer.local.json file.
And as docker images run non-interactively, I can't agree to add the composer/installers into the allow-plugins section. Without manually agreeing, the folder SemanticMediaWiki can't be placed into extensions/.
And hacking the original composer.json file seems not stable over different releases as a third-party.

@codebymikey
Copy link

However, I'm not quite sure on what level: Should it be only the allow-plugins property, which probably would be fine to do unconditionally.

I think it makes sense to merge the whole config, just so additional options like sort-packages, preferred-install etc. can be properly merged in as needed.

@malberts malberts mentioned this issue Jul 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@reedy @Querela @FlorianSW @codebymikey