搜索mxr576 / ddqg-composer-audit
Drupal 依赖质量网关 Composer 审计插件
Requires
- php: ~8.1.0 || ~8.2.0 || ~8.3.0
- composer-plugin-api: ^2.3
- composer/composer: ^2.6.0
- cweagans/composer-configurable-plugin: ^2.0
- halaxa/json-machine: ^1.1
- loophp/collection: ^7.1
- psr/event-dispatcher: ^1.0
- webmozart/assert: ^1.11
Requires (Dev)
- ergebnis/composer-normalize: ^2.30
- ergebnis/license: ^2.1
- friendsofphp/php-cs-fixer: ^3.16
- phparkitect/phparkitect: ~0.3.24
- phpstan/phpstan: ^1.10
- phpstan/phpstan-deprecation-rules: ^1.0
- phpstan/phpstan-webmozart-assert: ^1.2
Suggests
- mxr576/composer-audit-changes: The `composer audit-changes` Composer command works similarly to the built-in `composer audit` command but it only audits newly installed or updated packages since a previous version of `composer.lock`.
README
该项目扩展了 composer audit 命令,引入了来自 mxr576/ddqg 项目的“建议”,该项目的目标是帮助运行在安全和高品质 Drupal 依赖项上的 Drupal 项目。
查看 mxr576/composer-audit-changes 的“替代” composer audit 命令,因为它可以帮助在现有项目上采用此包,这些项目已经积累了技术债务。
安装
$ composer require --dev mxr576/ddqg-composer-audit
示例输出
$ composer audit
+-------------------+----------------------------------------------------------------------------------+
| Package | drupal/apigee_edge |
| CVE | DDQG-D10-incompatible-drupal-apigee_edge |
| Title | The installed "2.0.7.0" version is not compatible with Drupal 10. (Reported by D |
| | rupal Dependency Quality Gate.) |
| URL | https://www.drupal.org/project/apigee_edge |
| Affected versions | 2.0.7.0 |
| Reported at | 2023-05-07T13:49:57+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | drupal/apigee_edge |
| CVE | DDQG-insecure-drupal-apigee_edge |
| Title | The installed "2.0.7.0" version is insecure. (Reported by Drupal Dependency Qual |
| | ity Gate.) |
| URL | https://www.drupal.org/project/apigee_edge |
| Affected versions | >=1.0.0,<1.27.0|>=2.0.0,<2.0.8 |
| Reported at | 2023-05-07T13:49:57+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | drupal/core |
| CVE | DDQG-insecure-drupal-core |
| Title | The installed "9.4.0.0" version is insecure. (Reported by Drupal Dependency Qual |
| | ity Gate.) |
| URL | https://www.drupal.org/project/core |
| Affected versions | >=9.4.0,<9.4.14|>=9.5.0,<9.5.8|>=10.0.0,<10.0.8 |
| Reported at | 2023-05-07T13:49:57+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | drupal/feeds |
| CVE | DDQG-unsupported-drupal-feeds-3.0.0.0-beta3 |
| Title | The installed "3.0.0.0-beta3" version is unsupported. (Reported by Drupal Depend |
| | ency Quality Gate.) |
| URL | https://www.drupal.org/project/feeds |
| Affected versions | 2.x-dev|3.0.0-alpha1|3.0.0-alpha2|3.0.0-alpha3|3.0.0-alpha4|3.0.0-alpha5|3.0.0-a |
| | lpha6|3.0.0-alpha7|3.0.0-alpha8|3.0.0-alpha9|3.0.0-alpha10|3.0.0-alpha11|3.0.0-b |
| | eta1|3.0.0-beta2|3.0.0-beta3|3.x-dev |
| Reported at | 2023-05-07T13:49:57+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | drupal/variationcache |
| CVE | DDQG-deprecated-drupal-variationcache-1.2.0.0 |
| Title | The installed "1.2.0.0" version is deprecated. (Reported by Drupal Dependency Qu |
| | ality Gate.) |
| URL | https://www.drupal.org/project/variationcache |
| Affected versions | * |
| Reported at | 2024-01-08T12:15:20+00:00 |
+-------------------+----------------------------------------------------------------------------------+
配置
质量保证可能感觉痛苦,但它却是专业软件开发的重要部分。此项目的目标是引起对项目中依赖质量问题的关注。出于这些原因,它故意提供了最少的退出选项。
忽略使用中弃用或不受支持的包版本警告
警告
此功能已 弃用,并将从 2.0.0 版本中删除。Composer 内置的 audit ignore 功能已取代它。
在项目的根 composer.json 中,在 extra 属性下,添加如下定义
"ddqg-composer-audit": { "ignore-deprecated-versions": { "vendor/package": "an_explicit_version_string", "drupal/swiftmailer": "2.4.0" } "ignore-unsupported-versions": { "vendor/package": "an_explicit_version_string", "drupal/tamper": "1.0.0-alpha3" } }
另一种选择是在 DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS 和 DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS 环境变量中定义逗号分隔的忽略规则,例如,DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS=drupal/swiftmailer:2.4.0,vendor/package:1.x-dev 或 DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS=drupal/tamper:1.0.0-alpha3,vendor/package:1.x-dev
环境变量比 composer.json 中的配置具有更高的优先级;如果已定义,则项目根 composer.json 中的定义将完全忽略。
注意:关于被忽略的弃用或不支持的包的警告仍然会在 STDERR 上显示。
不支持在定义中版本范围是一个有意识的决定,因为(再次)目标是使依赖质量问题持续可见,而不是将其掩盖。
检查 Drupal 10 兼容性
对于仍在运行 Drupal 9 的项目。当此功能启用时,composer audit 还可以检查安装的包依赖项版本是否也与 Drupal 10 兼容。这可以使 Drupal 10 升级更加轻松。
默认情况下禁用此功能,可以通过以下方式启用
"ddqg-composer-audit": { "check-d10-compatibility": true }
或通过设置环境变量 DDQG_COMPOSER_AUDIT_CHECK_D10_COMPATIBILITY=true。
这是一个季节性功能,将在 Drupal 9 EOL 后删除。
集成
- 用于安装此 Composer 插件和 composer audit-changes 命令的最新版本的“非官方”Docker 镜像的 构建定义
常见问题解答
Drupal Packagist 已经提供了包建议,为什么我应该关心此插件?
此功能仅在 2023 年 9 月 21 日之后的 Drupal Packagist 上可用。通过 Drupal Packagist 的安全建议数据仅包含基于已发布安全建议的信息;它不包含标记为 “不安全” 的发布,但此 Composer 插件包含。