I have a PHP project, that uses composer for it's PHP dependencies and bower for it's front end dependencies. So basically I have a directory structure that looks something like this (a simplified version obviously):
/app
/bower_components
/public
/vendor
/foo
/bar
/src
bower.json
composer.json
bower.json
composer.json
gulpfile.js
As you can see, the php dependency has some front end dependencies of it's own, that are also managed with bower. However, when I run bower install from the root of my app, the bower file from inside my foo/bar dependency is ignored.
I do not want to build my front-end dependencies inside foo/bar in advance and just include those in my app using gulp, because foo/bar may have overlapping dependencies with my app (like jQuery or Bootstrap or something) and I obviously do not want to include those twice. And I also would prefer bower throwing an error when there are version conflicts for overlapping dependencies, rather then having to find out the hard way.
Ideally all my front end dependencies would end up in my root bower_components directory, both those from my app's bower.json, as well as those from vendor/foo/bar/bower.json. This way I can have gulp compile all those into a single (or probably a few) .js and .css file.
So the question is, is that possible? Can I have bower look at other bower.json files inside sub directories? Or is there a recommended way to automatically merge multiple bower.json files before bower is ran?
I have spent the last hour scouring the web for a good solution to this problem, but I can't seem to come up with anything. (If you know of a good blog post or resource on this topic, please do share!) All google gives me are some basic bower tutorials, that are not very helpful here. Am I really the first one to run into this problem, or is there something fundamentally wrong in the way I am trying to tackle the issue at hand?
One way to tackle this (and a way Symfony CMF uses now) is to create bower packages for your PHP dependencies. This means you create a front-end bower package from your bundle, the package only contains the bower.json file with the dependencies.
Now, in your application's bower.json file, you can specify these "virtual" bower packages as requirements and run bower install. For instance:
{
"dependencies": {
"php-foobar": "^1.3"
}
}
The composer plugins composer-extra-assets and composer-assets-plugin allow adding bower dependencies to composer.json.
composer-assets-plugin is implemented in pure php and turns bower packages into composer packages.
composer-extra-assets calls the "real" bower behind the scenes. It is installed (including the required nodejs) automatically though if you don't have it on your system.
Disclaimer: I'm the author of composer-extra-assets.
Related
I've just come across the https://github.com/FriendsOfPHP/security-advisories tool which looks a great way to automatically scan for the vulnerabilities that are in that community-contributed database.
It scans a composer.lock file for packages with vulnerabilities. However, it's made me realise that my understanding of Composer is not what it should be!
I have a project that has a composer.json file that requires a single demo/package. That demo package also has requirements, like demo/dep.
The result of running composer install --no-dev is that I have a composer.lock file which includes:
demo/package version 1.0
demo/dep version 1.2
All good so far, and running symfony security:check /path/to/my/project/composer.lock gives me a green light, no vulnerabilities.
However on close inspection of the files now in my vendor dir, I can see there's a vendor/demo/package/composer.lock file, which contains references to demo/dep at version 1.1 - which has a security vulnerability against it.
As I understand, I have the safer 1.2 version installed - so says my project's composer.lock file, but why is a composer.lock file included with the vendor's package?
Does that mean that the dodgy code is installed somewhere, too? Or can I just simply ignore the composer.lock files if there's a composer.lock file in a dir above it or such? composer show does not list the versions in the nested lock file. Or maybe I should ignore composer.lock files if there's no sibling ./vendor/ dir?
Why not simply inspect your folders to find a vulnerable version? If there was any, you should find a vendor folder within that package, that's where that package could have installed stuff from it's own composer.lock
Usually, only the composer.json of a package is evaluated to install dependencies. If there is a lock file within one package's folder, you should ask the maintainer of that package why this is the case, but for installing dependencies on your system, this does not matter.
Side note: writing "usually" refers to the standard model of installations. I've seen some crude stuff where Composer plugins put other rules in place, but this cannot be said for your project without knowing more about the structure.
I am working on the Laravel project, and intend to use Vue.js as its client-side scripting. When I searched the internet, I found that I had to use the npm install command. My question is if I run the order, will it affect the project I'm working on?
For example, in the directory structure or variable section?
It will change only package.json and /node_modules folder (it will download vue.js last version package into this folder) in your root directory. But it won't affect your existing codebase until you don't use them via importing or accessing it. It is like installing a package with composer, but not using it. The downloaded package will stay in /vendor folder and package name in composer.json, composer.lock
Is that possible to completely remove node_modules folder from laravel app and not using it?
My app doesn't require any npm packages and I'm not using echo or pusher or any other API's that requires npm packages, then
Is it OK to remove this unnecessary folder in my app or somehow laravel
needs it to work?
If your project doesn't require node packages then you can remove it, it's not necessary to run Laravel project. But if you're using VueJS, or NodeJS then you need it.
composer update not download node packages, it only installs packages in vendor folder, node_modules is different which includes node packages.
If you want to install node packages, then use npm install command to install it again.
Hope this will helps you!
It is safe to remove the folder. The normal workflow would be to compile all CSS and JS files before deployment and copy them to the public/ directory, rendering the node_modules/ obsolete for deployment.
If anything breaks after you removed it, you can still bring it back with npm install.
I want to use Karma and Jasmine to test my AngularJS application. All of the documentation I've found to install Karma and Jasmine involve using npm. I can't use npm because I am restricted, the reason doesn't matter. So far I have pulled Jasmine and Karma from Github using zip files. I want to add Karma and Jasmine to my project, but I don't think unzipping the entire contents of the respective GitHub repos is the way to go.
I'd like to know what I need to make Karma and Jasmine usable within my AngularJS project without using npm.
I guess it is possible, but will take a huuuuuge amount of work because of the dependencies. If you take a look at karma's repository, you can find a file package.json (here). In this file there is a property dependencies (link), which lists the modules karma depends on. So you'll have to find their sources, manually download all of them with respective version number and put in the folder called node_modules created in the karma module folder. But each of these modules karma depends on also has dependencies listed in their own package.json - you'll have to download them too keeping in mind version numbers and putting them in module's node_modules folder. And this dependency nesting can be really really deep.
Some modules may have extra scripts to be executed after they have been installed (scripts), which are called by NPM by default on installation. Maybe there are some other things which I am not aware of. Generally speaking it was designed to be installed via NPM and it's rarely the case when someone has no access to use it.
I would advise to ask somebody who has access to NPM to do an install of required packages and share the result of installation with you. Everything will be installed in the node_modules folder of the directory you run NPM commands from, it would be easy to do.
Here you can download version I've created, it has karma v0.13.1, karma-jasmine v0.3.6 and karma-chrome-launcher v0.2.0. I hope it will work for you, because we might have different OS (mine is Ubuntu 14.04 x64), I'm not sure if NPM does something OS-specific while installation of any package.
You should place the content of the archive to your project directory, to execute tests from your project folder use a terminal command:
./node_modules/karma/bin/karma start
I would still advise to solve the problem of accessing the NPM if you want to closely work with modules it stores.
I have framework wich uses plugins as subdirectories in plugin/ directory. Plugins are git submodules and it works just fine. But some plugins require 3rd party libraries and I want to use Composer ti install them. Also there are dependencies between plugins which could be handled by Composer too.
I tried to use composer, but it will install everything into vendor/ directory, which is wrong because plugins must go into plugin/ directory. There is also core of the framework in core/ and application specific files in app/ directory.
What is the best way to use Composer in this scenario?
There should be a way for Composer to decide which package is a plugin and should be placed in the plugins directory. In composer, there is a special type setting which you should use in that case.
Then you can use a custom installer to install the special plugin types in the plugin directory.