Sugar Rush contestants,Coffee jelly ingredients.Recharge Every day and Get Bonus up-to 50%!

Resolved mollfrey
(@mollfrey)

2 years, 7 months ago

Hi there!
Our website is hosted on WP VIP and we are upgrading the plugin. We have had the plugin in our github repo with the /lib/vendor folder .gitignored. Our build process took care of running composer on the plugin before it was deployed.

The latest plugin release (2.0.1) no longer seems to include a composer.json file. This means that we now need to include the repositioned /vendor folder in our repo rather than .gitignoring it, which isn’t ideal.

Any chance you’ll be putting the composer.json and composer.lock files back into the distributed files?

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Support Darin Kotter
(@dkotter)

2 years, 7 months ago
Hey @mollfrey, thanks for the question. The composer.json was actually removed in the v1.9.10 release. The reasoning behind this is we fully build the plugin prior to submitting it too www.remarpro.com and as such, we remove any files that are only there for build purposes (like composer.json or package.json). Idea here is anyone installing straight from .org isn’t going to need those files.

That said, definitely understand that there are legitimate workflows that rely on having that file. Here’s a few different paths I’d recommend looking at:
- Version control the entire plugin, including the vendor directory, with not much downside. The only dependency we rely on is enshrined/svg-sanitize, so there won’t be much in this directory. This dependency doesn’t change often so not really a need to build this every single time. As you noted, the structure of our dependencies has changed, see https://github.com/10up/safe-svg/pull/35
- Install from Packagist (or WP Packagist). Knowing you’re on WP VIP, I don’t think this is an option, unless they’ve changed some of their standards
- Download the plugin directly from GitHub into your repo, which will include the composer.json file. I think this may be the best approach for your use case, as this would allow you to continue running your own build step. And as long as you’re maintaining the plugin files yourself in your repo, not much difference in pulling those files from GitHub as opposed to www.remarpro.com
Let me know if there’s some use case I’m not considering here though. Thanks!
Thread Starter mollfrey
(@mollfrey)

2 years, 7 months ago

Hi @dkotter! Thanks for your thoughtful response! I appreciate the options you laid out — very helpful indeed!

Our initial approach was the first one you pointed out — version controlling the entire plugin, including the vendor directory. Unfortunately, that created a bunch of warnings and errors when WP VIP scanned the code with its automated tools, which led me to look for other approaches.

If it would be helpful to you, I’d be happy to pass along the output from the scans.

Thanks again for taking the time to respond to my question!

Plugin Support Darin Kotter
(@dkotter)

2 years, 7 months ago

Sure, happy to look at anything they’re flagging to see if there’s things we could fix. Thanks!
Thread Starter mollfrey
(@mollfrey)

2 years, 7 months ago
I took another look at the things WP VIP’s scan flagged and I think the TL;DR: is that the issues are all in composer/platform_check.php and composer/InstalledVersions.php, so there may not be anything for y’all to do about them.

Here’s the report output anyway. I don’t think I can include screenshots here, so I’ve attempted to format the text somewhat to make things as clear as possible.

plugins/safe-svg/vendor/composer/platform_check.php
```
    }
    if (!ini_get('display_errors')) {
        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
            fwrite(STDERR, 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . implode(PHP_EOL, $issues) . PHP_EOL.PHP_EOL);
```
?? Warning( severity 6 ): File system operations only work on the /tmp/ and wp-content/uploads/ directories. To avoid unexpected results, please use helper functions like get_temp_dir() or wp_get_upload_dir() to get the proper directory path when using functions such as fwrite(). For more details, please see: https://docs.wpvip.com/technical-references/vip-go-files-system/local-file-operations/ (WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fwrite).

plugins/safe-svg/vendor/composer/InstalledVersions.php
```
     */
    public static function getRawData()
    {
        @trigger_error('getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.', E_USER_DEPRECATED);
```
?? Warning( severity 5 ): trigger_error() found. Debug code should not normally be used in production (WordPress.PHP.DevelopmentFunctions.error_log_trigger_error).

plugins/safe-svg/vendor/composer/platform_check.php
```
        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
            fwrite(STDERR, 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . implode(PHP_EOL, $issues) . PHP_EOL.PHP_EOL);
        } elseif (!headers_sent()) {
            echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL;
```
?? Error( severity 5 ): All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘str_replace’ (WordPress.Security.EscapeOutput.OutputNotEscaped).

plugins/safe-svg/vendor/composer/platform_check.php
```
            echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL;
        }
    }
    trigger_error(
```
?? Warning( severity 5 ): trigger_error() found. Debug code should not normally be used in production (WordPress.PHP.DevelopmentFunctions.error_log_trigger_error).

plugins/safe-svg/vendor/composer/platform_check.php
```
        }
    }
    trigger_error(
        'Composer detected issues in your platform: ' . implode(' ', $issues),
```
?? Error( severity 5 ): All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘$issues’ (WordPress.Security.EscapeOutput.OutputNotEscaped).

plugins/safe-svg/vendor/composer/InstalledVersions.php
```
                if (isset(self::$installedByVendor[$vendorDir])) {
                    $installed[] = self::$installedByVendor[$vendorDir];
                } elseif (is_file($vendorDir.'/composer/installed.php')) {
                    $installed[] = self::$installedByVendor[$vendorDir] = require $vendorDir.'/composer/installed.php';
```
?? Warning( severity 3 ): File inclusion using variable ($vendorDir). Probably needs manual inspection (WordPressVIPMinimum.Files.IncludingFile.UsingVariable).

plugins/safe-svg/vendor/composer/InstalledVersions.php
```
     */
    public static function getRawData()
    {
        @trigger_error('getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.', E_USER_DEPRECATED);
```
?? Error( severity 1 ): Silencing errors is forbidden; found: @trigger_error(‘getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.’ (Generic.PHP.NoSilencedErrors.Forbidden).

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Missing composer.json?’ is closed to new replies.