Integrity checks for composer.json repositories with type=package
Question
I'd like to add PHP libraries that are not available via Packagist (at least not in official versions) to my project. Here's an example of what I'm doing right now:
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
Running $ composer install results in a composer.lock entry like this:
"packages": [
{
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"reference": null,
"shasum": null
},
"type": "library",
"autoload": {
"files": [
"fpdf.php"
]
}
}
As far as I can tell, there is no data available that could be used to check the integrity of the zip file. (Am I missing something?)
Is there a way to specify a hash for the zip file that would be used by Composer when setting up the dependencies for the project? I'd like to make sure that the zip content hasn't changed and can't be tampered with.
1 answers
solution1
1 ACCPTED 2017-01-25 12:36:28
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"shasum" :"f832b04a5158645330d29bdb7265652dbcb6e4c3"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
you can add the shasum to repository settings if the shasum is different you will get an exception during composer install
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.