production-dependencies-guard icon indicating copy to clipboard operation
production-dependencies-guard copied to clipboard

Published 20 hours ago verified publisher icon kalessil

Whitelist ability to specify specific guards

Open SunMar opened this issue 3 years ago • 2 comments

Hi,

First I want to say that I love this composer plugin. It really helps keeping track of not accidentally installing a bad license or an abandoned package. The check-description guard is something I like too, but is something that feels a bit conflicting with the whitelist. There are some packages that I'd like to whitelist (for example symfony/error-handler because it's included as a non-dev requirement by Laravel but the guard blocks it as it thinks it's a debug only package). However I'd only like to whitelist that package for the check-description guard, not for the check-abandoned or the check-license guards. If for some reason the package becomes abandoned, or they change the license, installation should be blocked.

So maybe the white-list options can be expanded for example like so:

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",
            
            "white-list:vendor/package-one:license,abandoned",
            "white-list:vendor/package-two",
            
            "accept-license:MIT"
        ]
    }
}

A change like this could be backwards compatible, where vendor/package-two still uses all guards, but vendor/package-one will only trigger when checking the license or when it's abandoned.

SunMar avatar Mar 22 '21 20:03 SunMar

If I understand correctly, you are trying to configure guards for some packages individually.

The idea looks good to me, but I'm not sure about the configuration format. What do you think about this approach?

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",
            
            "white-list:vendor/package-one",
            "white-list:vendor/package-two",

           "package-guards:vendor/package-one=license,abandoned",
            
            "accept-license:MIT"
        ]
    }
}

here "package-guards:vendor/package-one=license,abandoned", would allow to set guards (from the active guards) individually for each package.

kalessil avatar Jun 11 '21 06:06 kalessil

That would be perfect! 😃 I have no preference in if it's part of an existing directive or a new one.

Thinking about it now, maybe an interesting question is whether someone would prefer to specify the guards they do want or specify the guards you don't want. In my use case the most common pattern would be to want to exclude check-description, but either way is perfectly fine.

SunMar avatar Jun 11 '21 10:06 SunMar