时间戳

首页 > 解决方案 > Testing pull requests

composer-php - Testing pull requests

问题描述

I recently discovered a vulnerability in a package that I like to use in my Laravel projects. The package is a log viewer for Laravel: https://github.com/ARCANEDEV/LogViewer.

I put in an issue about the vulnerability and the owner said I can put in a Pull Request to try and rectify the issue, and I feel I could at least try.

My question is: is there a way to use the version of the package with my Pull Request in a testing environment, as if I were installing it via Composer?

Essentially, away from actual unit tests, is there a way to test run a package in a project?

Updates given research and available answers

After much Googling and reading of answers I tried the following:


  "repositories": [
    {
      "type": "path",
      "url": "../forks/LogViewer"
    }
  ],

With the whole thing looking like this:


{
  "name": "laravel/laravel",
  "description": "The Laravel Framework.",
  "keywords": [
    "framework",
    "laravel"
  ],
  "license": "MIT",
  "type": "project",
  "repositories": [
    {
      "type": "path",
      "url": "../forks/LogViewer"
    }
  ],
  "require": {
    "php": "^7.1.3",
    "alexusmai/laravel-purifier": "^0.5.0",
    "arcanedev/log-viewer": "^4.5",
    "artesaos/laravel-linkedin": "^1.3",
    "barryvdh/laravel-dompdf": "^0.8.4",
    "cartalyst/tags": "6.0.*",
    "cornford/googlmapper": "^2.33",
    "doctrine/dbal": "^2.9",
    "fideloper/proxy": "^4.0",
    "guzzlehttp/guzzle": "^6.3",
    "guzzlehttp/psr7": "^1.4",
    "happyr/linkedin-api-client": "^1.0",
    "intervention/image": "^2.5",
    "ixudra/curl": "^6.16",
    "jdavidbakr/mail-tracker": "~2.1",
    "laravel/framework": "5.6.*",
    "laravel/scout": "^5.0",
    "laravel/socialite": "^3.0",
    "laravel/tinker": "^1.0",
    "laravelcollective/html": "^5.6",
    "laravolt/avatar": "^3.0",
    "league/flysystem-sftp": "~1.0",
    "maatwebsite/excel": "^3.1",
    "maddhatter/laravel-fullcalendar": "^1.3",
    "mews/purifier": "^2.1",
    "php-http/curl-client": "^1.7",
    "php-http/message": "^1.6",
    "pusher/pusher-http-laravel": "^4.2",
    "socialiteproviders/microsoft-graph": "^2.0",
    "spatie/calendar-links": "^1.0",
    "spatie/flysystem-dropbox": "^1.2",
    "spatie/laravel-analytics": "^3.6",
    "spatie/laravel-backup": "^5.9",
    "spatie/laravel-medialibrary": "7.6.3",
    "spatie/laravel-permission": "^2.12",
    "teamtnt/laravel-scout-tntsearch-driver": "^3.0",
    "thujohn/twitter": "^2.2",
    "unisharp/laravel-filemanager": "~1.8",
    "vimeo/laravel": "^5.0"
  },
  "require-dev": {
    "barryvdh/laravel-debugbar": "^3.2",
    "filp/whoops": "^2.0",
    "fzaninotto/faker": "^1.4",
    "mockery/mockery": "^1.0",
    "nunomaduro/collision": "^2.0",
    "phpunit/phpunit": "^7.0"
  },
  "autoload": {
    "files": [
      "app/Helpers/Helper.php"
    ],
    "classmap": [
      "database/seeds",
      "database/factories"
    ],
    "psr-4": {
      "App\\": "app/"
    }
  },
  "autoload-dev": {
    "psr-4": {
      "Tests\\": "tests/"
    }
  },
  "extra": {
    "laravel": {
      "dont-discover": []
    }
  },
  "scripts": {
    "post-root-package-install": [
      "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
    ],
    "post-create-project-cmd": [
      "@php artisan key:generate"
    ],
    "post-autoload-dump": [
      "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
      "@php artisan package:discover"
    ]
  },
  "config": {
    "preferred-install": "dist",
    "sort-packages": true,
    "optimize-autoloader": true
  },
  "minimum-stability": "dev",
  "prefer-stable": true
}

My main project is located at the following path (from running pwd on Windows) C:\xampp\htdocs\projects\newable\newable-intranet

The cloned, forked project is located here: C:\xampp\htdocs\projects\forks\LogViewer.

However, running composer update does not use the local version, it just uses: "arcanedev/log-viewer": "^4.5",

标签: composer-phppull-request

解决方案

When you want to use a custom version of a library in your project like with the original package, you can modify the composer.json.

You can add custom package sources (aka repositories) to your composer.json for local development I prefer the path-repository:

{
    "repositories": [
        {
            "type": "path",
            "url": "../LogViewer"
        }
    ],
    "require": {
        "arcanedev/log-viewer": "*",
        ...
    },
    ...
}

So if your project and LogView-library are in the same workspace directory, side by side, this will jump up to that workspace-directory and go into the library folder. In there it will look for a composer.json. You should then be able to update to your custom library, e.g. using composer require arcanedev/log-viewer:"*" or by manually changing the entry as shown above and then runcomposer install`.

Making composer download the custom version can be a bit tricky from time to time, but in general this should work. If it won't "download" your version, i.e. symlink the local folder, try removing the existing vendor folder and running composer install again. You can also add debug output to composer install -vvv to see if the repository is found and used.

The less elaborate approach would be to remove the original library folder inside your project's vendor/ folder and instead place a symlink to your custom library manually. This is usually enough when all you do is a small bugfix inside the library's code, but when you change dependencies and version requirements I prefer the first approach as it basically simulates downloading the package through composer making sure it is properly usable in client projects.

推荐阅读