我应该在作曲家提取的供应商文件夹中检入库吗?
[英]Should I check in libraries in the vendor folder that are pulled in by composer?
问题描述
I've already spent a few hours searching for an answer to my question but still haven't found a suitable answer. 
我已经花了几个小时来寻找问题的答案,但仍然找不到合适的答案。
Basically, I've taken over a PHP project which uses composer to pull in third party libraries/dependencies. 基本上,我已经接管了一个使用composer引入第三方库/依赖项的PHP项目。 However, a lot of the dependencies are no longer managed and is possible that the author might remove them completely from github anytime. 但是,许多依赖项不再受管理,并且作者有可能随时将其完全从github中删除。
I'm currently thinking that I should check in the whole vendor folder so even if the libraries are no longer available through composer, I will still have them with me. 我目前在想,我应该检入整个供应商文件夹,这样,即使通过composer无法再使用这些库,我也仍然可以使用它们。
Alternatively, I could fork those libraries repo and have composer to pull from my account instead. 或者,我可以分叉这些库回购,并让作曲家从我的帐户中提取。 Is this acceptable? 这可以接受吗?
I would really hope to get some advice on the best method to deal with this. 我真的希望就处理此问题的最佳方法获得一些建议。
Thanks in advance! 提前致谢!
3 个解决方案
解决方案1
1 2015-03-31 10:58:41
Should i check in the whole vendor folder in, so even if the libraries are no longer available through composer, I will still have them with me?
My suggestion is to create a backup branch containing your application with all it's vendors. 我的建议是创建一个包含所有应用程序供应商的备份分支。 Just do a git checkout -b {VERSION}-backup , followed by composer install (which gets you the composer.lock and all dependencies into the defined vendor folder) and then a git push origin {VERSION}-backup . 只需执行git checkout -b {VERSION}-backup ,然后进行composer install (这git checkout -b {VERSION}-backup composer.lock和所有依赖项进入已定义的供应商文件夹),然后进行git push origin {VERSION}-backup 。
This allows to rely on dynamic package management as long as the packages are available via Packagist and downloadable from their source (Github, etc.). 只要软件包可以通过Packagist获得并且可以从其源(Github等)下载,就可以依靠动态软件包管理。 Now, in case, a dependency gets deleted and becomes un-available, you remove it from your composer.json and merge the code from the last {VERSION}-backup branch into the master branch. 现在,以防万一某个依赖项被删除而变得不可用,您可以从composer.json中将其删除,然后将最后一个{VERSION}-backup分支中的代码合并到master分支中。 = You replaced a dynamic dependency with a static one from you backup. =您用备份中的静态依赖项替换了动态依赖项。
By the way: ever thought about getting a security audit for your code? 顺便说一句:有没有想过为您的代码进行安全审核? This will not work, with dynamically pulled dependencies. 对于动态拉出的依赖项,这将不起作用。 Security audits are done for specific versions - for a static set of dependencies. 针对特定版本进行了安全审核-针对一组静态依赖项。 Given this context, pushing in a complete app with all it's dependencies is common and a best-practice. 在这种情况下,引入具有所有依赖关系的完整应用程序是常见且最佳实践。 But what do we have: Composer in the backend to install new themes and composer install --no-dev --optimize-autoload on the production box to "install" software. 但是我们有什么呢:在后端的Composer安装新主题,然后在生产环境中composer install --no-dev --optimize-autoload来“安装”软件。 Modern times ;) 现代 ;)
Could I fork those libraries repo and have composer to pull from my account instead.
Yes! 是! And you might also ask the guys over at Packagist to remove no-longer maintained packs or get them replaced or aliased to a new personal fork. 您可能还会要求Packagist的人员删除不再维护的包,或者将其替换或别名为新的个人叉子。
解决方案2
0 2015-03-30 16:54:22
It really depends on whether your project needs to be optimized for portability or not. 这实际上取决于您的项目是否需要针对可移植性进行优化。 Although, it's better safe with a best-practice violation, than sorry with an unavailable dependency you have to spend time replacing and refactoring for ... 虽然,最好的做法是违反安全性,但是比起没有可用的依赖关系,您必须花一些时间来替换和重构...
解决方案3
0 2015-03-30 17:30:54
From her packagist - theoretically it is possible but unlikely. 从她的包装专家看来 -从理论上讲是可能的,但可能性很小。 From the practice the main problem with packages directly connected to CVS. 通过实践,直接将软件包连接到CVS的主要问题。 But if it is live project you allays can find another copy of code to recover functional. 但是,如果这是一个实时项目,则可以找到另一个代码副本来恢复功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.