Download the PHP package boralp/laravel-vite-apple-container without Composer

On this page you can find all versions of the php package boralp/laravel-vite-apple-container. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-vite-apple-container

Laravel Vite Apple Container

Build Laravel Vite frontend assets inside an isolated Apple Container.

This package is designed for macOS users who use github.com/apple/container. It runs npm ci and npm run build in a hardened container with restricted filesystem access, disabled network access by default, and npm lifecycle scripts disabled by default.

The primary interface is a Laravel Artisan command:

A Composer binary wrapper is also provided:

The wrapper forwards arguments to the Artisan command.

Installation

Install via Composer:

If you need this package during production deployment builds, install it without --dev:

Laravel package discovery will register the Artisan command automatically.

Quick Start

From your Laravel project root, run the first build with network access so npm ci can download dependencies:

Or use the Composer binary wrapper:

Your compiled CSS and JavaScript assets will be written to:

By default, the project source is mounted read-only. Only public/build is writable on the host.

After dependencies have been installed once, subsequent builds can usually run without network access:

Requirements

Configuration

The package ships with a Laravel config file.

Publish it with:

This creates:

Available environment variables:

Default config:

How It Works

The command runs the Laravel frontend build inside Apple Container using a pinned Node Alpine OCI image.

Default container behavior:

Feature Default Purpose
Project filesystem Read-only Prevents build scripts from modifying source files
public/build Writable Allows Vite output
node_modules Isolated container volume Avoids writing dependencies into the host project
Network Disabled Blocks exfiltration and unexpected remote fetches
npm lifecycle scripts Disabled Blocks install-time hooks such as postinstall
Container user Root in isolated-volume mode Allows the container to manage the private node_modules volume
Root filesystem Read-only Limits writable paths inside the container
Temporary storage tmpfs Provides controlled writable scratch space
CPU / memory Limited Reduces accidental resource exhaustion

The project source remains read-only in default mode even when the container runs as root. The only host path mounted writable is public/build.

In default mode, the project is copied from a read-only mount into a temporary working directory inside the container. The package keeps node_modules in a named Apple Container volume and restores it into the temporary working directory when available.

Commands

Primary command:

Composer binary wrapper:

The wrapper is equivalent to:

All flags are supported by both forms.

Running the command without flags does not start a build. Because network access is disabled by default, a no-flag run would otherwise attempt npm ci without registry access. Instead, the command exits with guidance.

Regular Usage

First run, usually with npm registry access:

Subsequent builds, using the existing isolated node_modules volume:

Install dependencies only:

Build assets only:

Allow lifecycle scripts during install:

Using the binary wrapper:

Flags

Flag Description
--allow-network Allows network access inside the container
--allow-scripts Allows npm lifecycle scripts during npm ci
--full-access Mounts the whole Laravel project writable at /app
--host-node-modules Uses host node_modules; requires --full-access
--build-only Runs only npm run build
--ci-only Runs only npm ci
--root Runs as root inside the container
--paranoid Drops Linux capabilities where supported
--high-security Alias for --paranoid
--help, -h Shows help

Show command help:

or:

Security Model

Default Protection

By default, the command protects against common npm supply-chain and build-time risks:

In default isolated-volume mode, the process may run as root inside the container so it can manage the private named volume used for node_modules. This does not make the project source writable; the project is still copied from a read-only mount into a temporary working directory.

Important Limitations

This tool reduces risk; it does not make arbitrary JavaScript safe.

npm run build still executes code from your package.json. A malicious build script can still affect writable locations such as public/build, consume resources within configured limits, or attempt attacks against the container runtime.

Use extra caution with:

That combination allows dependency install scripts to run with network access and should only be used for trusted projects.

Highest-Risk Mode

This mode gives the build process writable access to the whole project and should only be used for trusted codebases.

Apple Container

This project targets Apple Container, not Docker or Podman.

Check installation:

Start the container system:

Pull the Node image manually if desired:

Updating the Pinned Node Image

The command uses a pinned image digest for reproducibility.

To update it intentionally:

Review the new digest, then update either:

or the published config value in:

If you have not published the config file, update the package default in config/lvac.php.

Troubleshooting

Apple container CLI not found or not executable

Install Apple Container and make sure the container command is available:

If the binary is in a custom location:

or set it in .env:

Apple Container is installed but not running

Start the container system:

Then retry:

npm ci fails without network

This is expected on first install. Network is disabled by default.

Run:

Then build without network:

vite: not found

This usually means dependencies have not been installed into the isolated node_modules volume yet.

Run:

After that, build-only mode should work:

A package requires postinstall scripts

Some packages need lifecycle scripts.

Use:

Then build:

Only use --allow-scripts after reviewing the dependency tree.

public/build is empty

Check that Laravel Vite is configured correctly.

Typical vite.config.js:

Permission problems writing public/build

Ensure the directory is writable by your user:

Then retry:

Build needs to write outside public/build

Default mode intentionally blocks this.

For trusted projects only:

Host node_modules is required

By default, dependencies are installed into an isolated Apple Container volume, not the host project.

For trusted projects only, you can use host node_modules:

--host-node-modules requires --full-access.

How It Differs from Local npm

Aspect Local npm This tool
Network access Allowed Blocked by default
npm lifecycle scripts Allowed Blocked by default
Project source writes Allowed Blocked by default
public/build writes Allowed Allowed
node_modules location Host project Isolated container volume
Root filesystem Host filesystem Read-only container filesystem
Runtime consistency Depends on host OCI Node image
Resource limits Depends on host Configured CPU and memory limits

CI/CD

This tool is intended primarily for Apple Container on macOS. For Linux CI environments, use the project’s normal Node build pipeline unless your CI runner also supports Apple Container.

Example conventional CI build:

Threat Model Summary

Good fit:

Not a complete sandbox for:

Security

If you find a security issue, do not open a public issue. Contact the maintainer privately.


All versions of laravel-vite-apple-container with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
illuminate/console Version ^10.0|^11.0|^12.0|^13.0
illuminate/support Version ^10.0|^11.0|^12.0|^13.0
symfony/process Version ^7.0|^8.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package boralp/laravel-vite-apple-container contains the following files

Loading the files please wait ...