Ensure composer dist archive contains only usefull files#101
Ensure composer dist archive contains only usefull files#101willpower232 merged 1 commit intoRobThree:masterfrom cedric-anne:composer-archive
Conversation
|
Example of such issues in the past: https://nvd.nist.gov/vuln/detail/CVE-2017-9841 It's wrong to expose your |
I agree, but I am working on an opensource application that, sometimes, people are putting on unprotected webserver. We do our best to prevent this, but we cannot control how webserver is configured, and I guess people may use such unsecure configurations for every application they use. |
willpower232
left a comment
willpower232
left a comment
There was a problem hiding this comment.
great idea, I didn't know this was a thing
|
@cedric-anne just so you know, this didn't seem to change the files that ended up in my vendor folder, if you'd like to take another look at your discretion, I'd be happy to resolve this. |
|
I believe the issue is the missing |
|
We could indeed list ignored files in I open an issue on composer/packagist repository, to try to know if something should be changed here: composer/packagist#1364 |
|
My bad, see #103. |
3 participants
With proposed changes, Github configuration, demo, documentation and test files will no more be included in composer dist archives.
Package weight will decrease from 175kB to 62kB. This is not a big change, but your package is downloaded almost 4k per day, so on the long term, it can save lots of bandwidth.
Anyway, problem is not only related to bandwidth and disk usage. On a project I work on, we had in the past a severe security flaw (unauthenticated RCE) that was located in a demo file of a library we used. I do not think there is such a flaw in your demo/test files (I did not tried to find one), but now you know why I propose such a PR.