Remove from Packagist, or make explicit this module should not be used in production #21
Comments
|
I dislike the idea of removing things from Packagist to prevent abuse. Is it installed by any official meta packages (other than those required to run Travis tests)? If folks can't be bothered to read the warning, after manually including it in their project, then maybe we should let nature take its course... |
|
It is included by silverstripe-labs/silverstripe-behat-extension, which is also namespaced as an official SilverStripe package (silverstripe/behat-extension). While users shouldn't be including the Behat extension other than in require-dev, we shouldn't be operating under the assumption that everyone knows how to correctly use Composer. Personally I don't like removing things from Packagist, and would much prefer to indicate via namespaces the packages that aren't considered by the core team to be safe and production-ready (e.g. most of the things in silverstripe-labs), similar to how Debian uses "backports" and "experimental". |
|
FYI I've suggested in #42 a refactoring that might address the underlying security weaknesses @edlinklater |
|
there's been no traction / support for removing this from packagist |
Due to the high-risk nature of running this module in production (as per the README), it seems unnecessarily high risk to have this module available in Packagist, particularly under the silverstripe/ namespace (where there would be an expectation of security and stability).
Ideally there would be a way to mark a project as only being able to be used in require-dev, but in the absence of this, I'd propose either:
The text was updated successfully, but these errors were encountered: