These are chat archives for composer/composer

22nd
May 2018
fletch8527
@fletch8527
May 22 2018 19:14
Hey, I'm hoping someone here might be able to help a composer noob out. Im running a service on a server whose developer uses composer to get dependencies. My issue is that our servers are behind a proxy controlled by the network team. I need to have the sites whitelisted to the server to have access. How can I tell what URL's need to be whitelisted for the dependencies?
looking at the composer.lock file would I just need to whitelist all of the "url" items? What about "notification-url"'s (they all seem to point to https://packagist.org)?
Ben Johnson
@cbj4074
May 22 2018 19:27
@fletch8527 Seems like you'll be playing whack-a-mole and revising the list constantly, as you have no way to know where the dependencies will be hosted
But yes, the two fields you've identified are a start
fletch8527
@fletch8527
May 22 2018 19:31
@cbj4074 Im starting to read the composer docs. If I understand it right, unless a repo is defined in composer.lock then all packages would come from GitHub? and it checks packagist.org as well? or could packafist.org tell composer to go someplace other than GitHub?
oops, I misspoke.
...unless a repo is defined in composer.json then all packages...
Ben Johnson
@cbj4074
May 22 2018 19:34
@fletch8527 Precisely, and that's the rub: not only can the composer.json point to package indexes other than packagist.org, but those can in turn point to content anywhere other than GitHub
fletch8527
@fletch8527
May 22 2018 19:35
dang. maybe ill get the network team to allow access to GitHub then see what else breaks lol
Ben Johnson
@cbj4074
May 22 2018 19:36
Hehe, yeah, the vast majority are on GitHub, but certainly not all
fletch8527
@fletch8527
May 22 2018 19:37
so I have a composer.lock file. is it safe to assume that if all the "url" values in it point to GitHub that all the dependencies will reside on GitHub (at least for now)?
Ben Johnson
@cbj4074
May 22 2018 20:05
@fletch8527 Yes, I believe that is the case
fletch8527
@fletch8527
May 22 2018 20:08
@cbj4074 thanks, you have been very helpful!
Ben Johnson
@cbj4074
May 22 2018 20:11
@fletch8527 No problem, glad to help. Hopefully I don't turn out to be wrong. :D
(regarding your last question)
One thing I will add, however, is that there's a fundamental distinction to be made between composer install and composer update. You should be in the clear for composer install, given the scenario you described.
My point is only that just because composer install will work in that environment, composer update may not.
Your developer shouldn't be running composer update in production, though; he should be doing it elsewhere and then committing the composer.lock file once he's vetted it, and only ever running composer install in production.
fletch8527
@fletch8527
May 22 2018 20:15
makes sense. that's what they do. When they update their stuff they issue a new composer.lock and I run composer install to get them
Ben Johnson
@cbj4074
May 22 2018 20:21
:thumbsup: