Download the PHP package mxr576/ddqg-composer-audit without Composer
On this page you can find all versions of the php package mxr576/ddqg-composer-audit. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package ddqg-composer-audit
Drupal Dependency Quality Gate Composer Audit plugin
This project extends composer audit
command with new "advisories" originating from the results generated by the
mxr576/ddqg project that aims to help run Drupal projects on secure and high-quality
Drupal dependencies.
CHECKOUT the mxr576/composer-audit-changes
"alternative" composer audit
command because it can help with the adoption of this package on existing projects
with collected technical debt.
Installation
Example output
Configuration
Quality Assurance can feel painful, but it is an important part of professional software development. The goal of this project is to bring attention about dependency quality problems on a project. For all these reasons, it deliberately comes with minimal opt-out options.
Silence warning about a deprecated- or unsupported package version in use
[!WARNING] This feature is deprecated and it is going to be removed in version 2.0.0. Composer's built-in audit ignore feature replaced it.
In a project's root composer.json, under the extra
property, add a definition like this:
The other option is defining a comma separate list of ignore rules in
DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS
and DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS
environment
variables respectfully, e.g,
DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS=drupal/swiftmailer:2.4.0,vendor/package:1.x-dev
or
DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS=drupal/tamper:1.0.0-alpha3,vendor/package:1.x-dev
An environment variable has a higher precedence than a configuration in composer.json; if it is defined, the definition in a project's root composer.json is ignored completely.
Notice: A warning is still displayed about the ignored deprecated- or unsupported package on STDERR.
Not supporting version ranges in the definition was a conscious decision because (again) the goal is making dependency quality problems constantly visible and not sweeping them under the carpet.
Check Drupal 10 compatibility
For projects running on Drupal 9 still. When this feature is enabled then composer audit
can also check whether an
installed package dependency version is also compatible with Drupal 10 or not. This can make the Drupal 10 upgrade more
painless.
The feature is disabled by default, it can be enabled with:
or by setting the DDQG_COMPOSER_AUDIT_CHECK_D10_COMPATIBILITY=true
environment variable.
This is a seasonal feature that will be removed after Drupal 9 EOL.
Integrations
- "Unofficial" build definition for a Docker image that installs the latest version from this Composer plugin and the composer audit-changes command
FAQ
Drupal Packagist already provides package advisories, so why should I care about this plugin?
This feature is only available on Drupal Packagist since 21 September 2023. Security advisory data via Drupal Packagist only contains information based on published security advisories; it does not contain releases flagged as "insecure", but this Composer plugin does.
All versions of ddqg-composer-audit with dependencies
composer-plugin-api Version ^2.3
composer/composer Version ^2.6.0
cweagans/composer-configurable-plugin Version ^2.0
halaxa/json-machine Version ^1.1
loophp/collection Version ^7.1
psr/event-dispatcher Version ^1.0
webmozart/assert Version ^1.11