Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Composer: Document expected usage for security. #156

Open
wants to merge 1 commit into
base: production
Choose a base branch
from
Open

Composer: Document expected usage for security. #156

wants to merge 1 commit into from

Conversation

iandunn
Copy link
Member

@iandunn iandunn commented Jul 17, 2019
edited
Loading

Previously:

The JSON format does not allow comments because, in theory, it's only a data-exchange format. In reality, it's widely used in situations like this where comments are extremely important.

To work around that, arbitrary properties are added. The keys must be unique, so they use BASIC-style line-numbering. Does anyone else remember BASIC? No? Ok, I must officially be old then.

composer validate will complain about those properties, but normal commands won't, and they won't be automatically removed by composer update, etc. For our usage, they're practical, albeit hacky.

I also added some whitespace between the sections, because I find it much harder to visually parse a document when it's all crammed together.

@iandunn
Composer: Document expected usage for security.
0c2d530 
The JSON format does not allow comments because, in theory, it's only a data-exchange format. In reality, it's widely used in situations like this where comments are extremely important.

To work around that, arbitrary properties are added. The keys must be unique, so they use BASIC-style line-numbering. Does anyone else remember BASIC? No? Ok, I must officially be old then.

`composer validate` will complain about those properties, but normal commands won't, and they  won't be automatically removed by `composer update`, etc. For our usage, they're practical, albeit hacky.
@iandunn iandunn requested review from coreymckrill and ryelle July 17, 2019 16:30
@iandunn
Copy link
Member Author

iandunn commented Jul 17, 2019

It didn't occur to me until this morning, but this seems like a better approach than the one we discussed in #152.

@iandunn
Copy link
Member Author

iandunn commented Jul 19, 2019

Related: Seldaek/jsonlint#58

@iandunn
Copy link
Member Author

iandunn commented Jul 19, 2019
edited
Loading

Ah, I found this buried in one of the many many many Composer issues complaining about this problem:

composer/composer@98b0af1

Looks like _comment is a valid, reusable key in composer.json, so we should we able to switch to that and not get any errors from composer validate etc. Haven't tested yet, though.

@iandunn
Copy link
Member Author

iandunn commented Oct 23, 2019

Tested _comment for 5ftF and it worked, so it should be a good path forward here.

@coreymckrill coreymckrill removed their request for review April 16, 2022 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryelle ryelle Awaiting requested review from ryelle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@iandunn