herndlm, (edited )
@herndlm@phpc.social avatar

I think there was a composer plugin or smth that makes sure typical dev dependencies never end up in the require section of the lockfile, right? Which one is it? #followerpower #php #composer

Background: A colleague added a composer dev dependency by mistake to the require section in an internal plugin and nobody noticed. When requiring that plugin the dev dependency ended up in the lockfile and vendor of the main app and again nobody noticed. And I'd like to catch that.

bobmagicii,
@bobmagicii@phpc.social avatar

@herndlm mk1 eyeball ask one of your least favourite team members to audit composer.json once in a while. adding things to screw with the operation of composer is going to be more annoying for anyone not the guy who first had the idea.

alessandrolai,
@alessandrolai@phpc.social avatar

@herndlm you can probably use Composer Unused? But I'm not sure it covers your use case.

Otherwise, what you require is the reverse of Composer Require Checker, so still out of luck...

glaubinix,

@herndlm starting with version 2.4 Composer asks you if you want to require --dev instead of require dependencies with certain keywords, see https://github.com/composer/composer/pull/10960

wyri,
@wyri@haxim.us avatar

@glaubinix @herndlm that's pretty neat. Would be nice if we could configure the list in composer.json

  • All
  • Subscribed
  • Moderated
  • Favorites
  • php
  • DreamBathrooms
  • magazineikmin
  • ethstaker
  • GTA5RPClips
  • InstantRegret
  • rosin
  • love
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • everett
  • thenastyranch
  • osvaldo12
  • provamag3
  • tester
  • cisconetworking
  • tacticalgear
  • ngwrru68w68
  • Durango
  • cubers
  • mdbf
  • normalnudes
  • anitta
  • modclub
  • Leos
  • megavids
  • JUstTest
  • All magazines
    •