Packagist与“ git clone”和作曲家的安装
[英]Packagist vs. “git clone” and composer install
问题描述
Just pushed a package to packagist: 
刚向包装员推了一个包装:
composer require rokfor/rokfor-slim:dev-master
It's returning the error 返回错误
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Installation request for rokfor/rokfor-slim
dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
- rokfor/rokfor-slim dev-master requires
jlndk/slim-jade ^1.0 -> no matching package found.
If I'm checking out like 如果我像
$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install
Everything installs just fine. 一切都安装得很好。
I think I'm missing something crucial here. 我想我在这里缺少了一些关键的东西。 Is it not allowed to push a package to packagist with a source from a vcs repository? 是否不允许通过vcs存储库中的源代码将软件包推送给packagist?
The composer.json looks like: composer.json看起来像:
{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
{
"name": "Rokfor",
"homepage": "http://www.rokfor.ch"
}
],
"repositories": [
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-jade"
},
{
"type": "vcs",
"url": "https://github.com/Rokfor/rokfor-php-db"
},
{
"type": "vcs",
"url": "https://github.com/urshofer/slim-auth"
}
],
"require": {
"php": ">=5.5.0",
"slim/slim": "~3.0",
"jlndk/slim-jade": "^1.0",
"rokfor/db": "dev-versioning",
"monolog/monolog": "^1.17",
"slim/csrf": "^0.6.0",
"jeremykendall/slim-auth": "dev-slim-3.x",
"slim/flash": "^0.1.0",
"akrabat/rka-ip-address-middleware": "^0.4.0",
"palanik/corsslim": "dev-slim3",
"erusev/parsedown": "^1.6",
"predis/predis": "^1.0",
"lcobucci/jwt": "^3.1",
"ext-gd": "*"
},
"require-dev": {
"phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}
1 个解决方案
解决方案1
0 2017-03-28 11:47:45
In a library, you cannot reference anything other than libraries that are available on packagist.org. 在库中,除了在packagist.org上可用的库之外,您不能引用任何其他内容。 Or you instruct your users to reference an additional source for package information. 或者,您指示用户参考其他来源的软件包信息。
Adding vcs and package repositories is only allowed for the root composer.json , which you cannot influence as a library other than instructing your users to do additional things beyond composer require your/lib . 仅允许在根composer.json添加vcs和软件包存储库,除了指示您的用户执行composer require your/lib之外的其他操作外,您不能将其作为库来影响。 Which is kind of annoying, and also may be subject to security considerations, because this will not only open the door for your individual library, but for ANY library as well. 这是种烦人的事情,并且还可能出于安全考虑,因为这不仅会为您的单个库打开大门,而且还会为任何库打开大门。
And as you did with "jlndk/slim-jade" (which the original author published from his repository as 0.0.1 , and another author re-published it without adding it to packagist or changing the lib's name, adding the version tag 1.0 ), any additional source of package information can potentially add more package information, ie add a newer, malicious version of eg a symfony package. 就像您对“ jlndk / slim-jade”所做的一样(原始作者从其存储库中以0.0.1 ,另一位作者重新发布了该文档,而没有将其添加到packagist或更改lib的名称中,而添加了版本标签1.0 ) ,软件包信息的任何其他来源都可能会添加更多软件包信息,即添加例如symfony软件包的较新的恶意版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.