I'd like to add PHP libraries that are not available via Packagist (at least not in official versions) to my project. Here's an example of what I'm doing right now:
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
Running $ composer install
results in a composer.lock
entry like this:
"packages": [
{
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"reference": null,
"shasum": null
},
"type": "library",
"autoload": {
"files": [
"fpdf.php"
]
}
}
As far as I can tell, there is no data available that could be used to check the integrity of the zip file. (Am I missing something?)
Is there a way to specify a hash for the zip file that would be used by Composer when setting up the dependencies for the project? I'd like to make sure that the zip content hasn't changed and can't be tampered with.
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"shasum" :"f832b04a5158645330d29bdb7265652dbcb6e4c3"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
you can add the shasum to repository settings if the shasum is different you will get an exception during composer install
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.