Level 39
You post needs to be clarify.
I deleted my previous post
No problem if nb answered to it, what's the use of this info?
Composer traffic is now blocked ...
? What does it means?
What's your root problem? (in what context, ...)
1 like
Aug 22, 2022
15
Level 8
Temporary workaround for no Composer with Laravel - Will that work?
- This post is not as long as it looks like, it just contains packages list and some code samples, won't take much time to read, really
I currently have a Laravel 6 project. Due to security issues, the company blocked alot of network traffic, including the composer websites, so I can't use composer right now.
So what I was thinking to do is:
Let's say I need the package laravel-dompdf.
What I want to do is to locally install an empty Laravel 6 project, then to install the laravel-dompdf package. This way I can see all the changes done in git.
Will copying/mimicking the changes done in my local computer to the other project make it work?
This is my plan:
First, copy the following packages to the vendor folder (The package and dependencies):
- barryvdh/laravel-dompdf
- dompdf/dompdf
- masterminds/html5
- phenx/php-font-lib
- phenx/php-svg-lib
- sabberworm/php-css-parser
Then there are many composer files changed:
- composer.json
- composer.lock
- /vendor/composer/autoload_classmap.php
- /vendor/composer/autoload_files.php
- /vendor/composer/autoload_psr4
- /vendor/composer/autoload_static.php
- /vendor/composer/installed.json
- /vendor/composer/installed.php
However, I think what's important for the package to work is the changes only in /vendor/composer/autoload_psr4 and /vendor/composer/installed.php.
The changes in autoload_psr4 are the namespaces, for example:
'Barryvdh\DomPDF\' => array($vendorDir . '/barryvdh/laravel-dompdf/src'),
and the changes in installed.php:
'barryvdh/laravel-dompdf' => array(
'pretty_version' => 'v2.0.0',
'version' => '2.0.0.0',
'type' => 'library',
'install_path' => __DIR__ . '/../barryvdh/laravel-dompdf',
'aliases' => array(),
'reference' => '<some_long_hash>',
'dev_requirement' => false,
),
And of course for each of the other packages also do these changes as above to the autoload_psr4 and installed.php files.
Or, I'll also need to do the other changes in the other composer files? Although files like autoload_static are only some weird hashes and numbers so I don't think they're currently necessary, such as:
// ...
'732d45d8ee834vfa537fa454022839d7' => __DIR__ . '/..' . '/psy/psysh/src/functions.php',
);
// ...
'Symfony\Component\Debug\' => 24,
'Symfony\Component\CssSelector\' => 30,
'Symfony\Component\Console\' => 26,
'Svg\' => 4,
'Sabberworm\CSS\' => 15,
Of course it should be a temporary solution till things can be sorted.
Level 122
You would be better off copying the packages to a local repository and deploying them from there.
(but we have been here)
I think mimicking composer changes is a non-starter
1 like
Level 8
@sr57 Updated the post. The root problem is that I cannot use composer right now but I need to install packages
@snapey I know, but everything I suggested was denied. There is a Nexus Server apparently but not for PHP. they're afraid of PHP from some reason.
Why non starter? It will not work? Bad idea? It's for maybe one or two packages till we can sort it or just leave this place
Level 102
@Ligonsker normally I would never recommend this framework but perhaps you need something without composer. Only problem is that you need to implement alot more yourself (almost everything). You can take a look at "trongate framework"
1 like
Level 73
I would take a serious talk with your managers and ask them what the heck they expect you to do if they block the essentials for a modern php developer. One way to bypass is is connecting via your phone, and install it that way.
1 like
Level 39
Laravel 6 / Due to security issues, ... / they're afraid of PHP
Laravel 6 is at its end of security support
https://laravel.com/docs/9.x/releases
So question is not only a new package to install.
That said, your client should have a local dev server that should access composer.
Do the change process (new package and then upgrade) on this dev server, review one by one composer.lock changes, remove what you don't need (do relevant tests) , got the minimal set installed and then deploy in prod.
1 like
Level 8
Thanks guys. I understand. We are still in discussions with the managers.
But will my suggestion work? To copy the entire vendor every time I need a new package, if they allow that?
It's not that I need so many packages all the time. And basically I replace one project's vendor with another's of same Laravel version, just with added package. Should that temporarily work?
It's almost as your suggestion to develop remotely. Just this time I only copy the vendor
Level 39
o copy the entire vendor
Package installation does not update only vendor directory, often add some config file(s), sometime other file(s) and it can also update the db. Try locally and use a diff to see the change.
Regarding your problem, I would not play with an 'amateur' method until I have (defined) the right deployment method.
1 like
Level 8
@sr57 Yep I actually did some tests with installing packages with composer and noticed some extra changes other than vendor.
But, these changes are easier to do: It's a code I can either copy paste to an email and then to a php file or write it myself. Most of the major changes were inside the vendor.
Yep, we're still on it with the security team. I just understood from them that, this company only works mostly with other languages that already have everything set up like Java. And trying to implement that for PHP is costly.. although they are just being cheap, it's a company with a lot of money. I guess the security people want to impress people by saving as much money as possible while allowing outdated PHP versions instead of pay a bit to get a logical PHP development platform
Level 39
these changes are easier to do
Agree, the only concern is that you must be very rigorous (define and test your process before) to not forget st
1 like
Level 8
@sr57 I might end up making a no-composer version of Laravel 🤣😂😂
1 like
Level 8
update: I was told they could check the option of making Composer work on a Nexus Server again.
Does anyone know what is this Nexus Server (or Nexus Repo)? And can it work with composer?
Level 8
@sr57 @snapey @sinnbeck @tray2 Guys! good news. I managed to setup my own private repository. It's so awesome! I have my own sort of GitHub now, it's called Satis
And it works from the downloaded zip files.
I know it would've been much better if I could somehow convince the security team to completely open traffic to Composer, because they do many mistakes when they manually scan (Although they did find out about the RCE vulnerability which was fixed, thanks to @sinnbeck for the findings).
And I will continue trying to convince them to open traffic. But the current setup seem to be good for now:
I used Satis, which is made by the same people who make Composer. After you setup your own local Satis repo, it also creates a cool web page you can view your repos after installing them: https://i.imgur.com/Ih3jhjp.png
that's pretty cool
1 like
Level 102
@Ligonsker Sounds good! Good luck. I hope you succeed!
1 like
Level 8
@Sinnbeck thank you for all your help!
Please or to participate in this conversation.