Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelist ability to specify specific guards #17

Open
SunMar opened this issue Mar 22, 2021 · 2 comments
Open

Whitelist ability to specify specific guards #17

SunMar opened this issue Mar 22, 2021 · 2 comments

Comments

@SunMar
Copy link

SunMar commented Mar 22, 2021

Hi,

First I want to say that I love this composer plugin. It really helps keeping track of not accidentally installing a bad license or an abandoned package. The check-description guard is something I like too, but is something that feels a bit conflicting with the whitelist. There are some packages that I'd like to whitelist (for example symfony/error-handler because it's included as a non-dev requirement by Laravel but the guard blocks it as it thinks it's a debug only package). However I'd only like to whitelist that package for the check-description guard, not for the check-abandoned or the check-license guards. If for some reason the package becomes abandoned, or they change the license, installation should be blocked.

So maybe the white-list options can be expanded for example like so:

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",
            
            "white-list:vendor/package-one:license,abandoned",
            "white-list:vendor/package-two",
            
            "accept-license:MIT"
        ]
    }
}

A change like this could be backwards compatible, where vendor/package-two still uses all guards, but vendor/package-one will only trigger when checking the license or when it's abandoned.
@kalessil
Copy link
Owner

kalessil commented Jun 11, 2021
edited
Loading

If I understand correctly, you are trying to configure guards for some packages individually.

The idea looks good to me, but I'm not sure about the configuration format. What do you think about this approach?

{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",
            
            "white-list:vendor/package-one",
            "white-list:vendor/package-two",

           "package-guards:vendor/package-one=license,abandoned",
            
            "accept-license:MIT"
        ]
    }
}

here "package-guards:vendor/package-one=license,abandoned", would allow to set guards (from the active guards) individually for each package.

@SunMar
Copy link
Author

SunMar commented Jun 11, 2021

That would be perfect! 😃 I have no preference in if it's part of an existing directive or a new one.

Thinking about it now, maybe an interesting question is whether someone would prefer to specify the guards they do want or specify the guards you don't want. In my use case the most common pattern would be to want to exclude check-description, but either way is perfectly fine.

@SunMar SunMar mentioned this issue Jul 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kalessil @SunMar