-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit dependencies #31
Comments
@asgrim I’ve only just started following this repo and applaud your efforts. And yes, the fewer dependencies the better for a project that is going to bootstrap installs. I’d go further and say That said, the most important thing upfront is to get a functioning extension manager out the door and extension authors buying in. Don’t let dependency worries slow this down! OT, but the big thing for me is to have tooling like renovate recognise when extensions need updating. |
being able to identify which extensions are installed is definitely in the works ( |
Discovered - if the target PHP install does not have Maybe something like: -echo json_encode(array_combine($exts, $extVersions));
+echo '{' . implode(',', array_map(fn($k, $v) => sprintf('"%s":"%s"', $k, $v), $exts, $extVersions)) . '}'; although prob needs escaping >.< will have a think about other potential ways. I'm trying to avoid using |
Dependencies assessment:
|
We are currently using some dependencies which MAY be problematic for maintenance.
Whilst not a big issue, if we want to support newer versions of PHP (e.g. 8.4 at the time of writing, is unreleased), we have to ensure we are compatible with the newer dependencies. For example, the constraint we have for
illuminate/container
is^10.47
, which would not allow version 11 (which I believe has fixed the PHP 8.4 issues). This is somewhat mitigated by our rootphp
constraint being explicitly8.1.*||8.2.*||8.3.*
(i.e., we do not yet support PHP 8.4), and this issue only surfaces when--ignore-platform-req=php
is used (e.g. for testing). The more third-party dependencies we have, the more we are constrained by upstream support. We should evaluate the dependencies we are using, and ensure it makes sense to continue using them or not.PSL - https://packagist.org/packages/azjezz/psl - was mentioned as problematic, since it relies on some extensions which not everyone always has installed (e..g
bcmath
,sodium
, etc.). This creates a chicken/egg problem if the extension someone wants to install isbcmath
! Whilst I love the functionality we're using inazjezz/psl
we may need to find another way; we're not using theazjezz/psl
parts that use those extensions (we're ONLY using the nicely-typed JSON parsing, and only in a couple of places), and I don't think it's reasonable at all to ask the author that these parts are split off into a separate package.ref: mongodb/mongo-php-driver#1624 (comment)
The text was updated successfully, but these errors were encountered: