Level 51
I don't recommend that, but yeah it should work.
Why would you do that? what's the problem with create-project command?
1 like
Aug 25, 2022
17
Level 8
Is this the right procedure to manually create a Laravel project?
Since Laravel uses composer create-project command, and I need to manually install it from my local repo, is this the correct way to make a new Laravel project:
- Extract the zip downloaded from https://github.com/laravel/laravel
- download the required zip files from each of the required packages:
"php": "^8.0.2",
"guzzlehttp/guzzle": "^7.2",
"laravel/framework": "^9.19",
"laravel/sanctum": "^3.0",
"laravel/tinker": "^2.7"
and then run composer install? Should that work?
I ask because there's a part where I actually just unzip the content of laravel/laravel and not using any composer command, basically copying the content on https://github.com/laravel/laravel. (Does that mimic the composer create project laravel/laravel command well?)
Level 8
@MohamedTammam secured company, no composer to the outside world. I did however managed to finally find something that works: Satis.
But so far I only used Satis for packages that use composer install. I might try to get it to work also with create-project
Btw why is it not recommended to just download laravel directly? What could go wrong?
Level 73
@Ligonsker Like I said, they should fire the security people.
I don't think doing any of the above is a good solution.
What you can try is to do a fresh install on your own computer and then zip that directory and all the subdirectories, put it on a usb and then unzip it on your work computer.
1 like
Level 8
@Tray2 I know 😥 But I am pretty sure they have some detection for USB drives insertions? but I won't do something that bypasses security because then they'll come to me with complaints.
they want to manually check it. But you know what's funny? They randomly deny or accept certain packages.. sometimes me and the other develops request the same packages and we get different answers lol . . .
so they're not really doing anything good manually. Of course you're correct about them. They're really bad at that.
Level 73
@Ligonsker Mail the zip then to your work mail or create a draft and store it there. I guess you have remote access to your email.
1 like
Level 8
@Tray2 haha nope, no remote access to email and even mail items are scanned and blocked. This is a big financial corporation so I understand the policy. However the current security team is bad as they are not consistent
Level 75
@Ligonsker If they are that worried about security I am surprised the company isn't using Spring framework.
And for certain banking or financial , I would avoid certain javascript frameworks. Just my opinion.
1 like
Level 73
@Ligonsker If I were you I would quit and look for another job. There is no way in hell I'm going to work somewhere that prevents me from doing my job.
1 like
Level 8
@Tray2 I might just convert to work with the security team instead 🤣
1 like
Level 80
@Tray2 I imagine Ligonsker is paid handsomely enough to make the chore worthwhile, though 😉
If you can’t run composer create-project then I don’t see how you’ll be able to run composer install, which downloads packages from the public Packagist site either?
1 like
Level 73
@Ligonsker That is an option :)
1 like
Level 73
@martinbean One can only hope that is the case.
1 like
Level 8
@martinbean @tray2 Haha it is ok :D, I also love the fact they allow me to work from home so I'm ok with that for now
And you are correct about composer create-project, however for certain projects like Laravel, they do give a bit more trust and allow to install on a computer that's outside the internal network, then they put the entire blank project inside the network. I will also show them that Satis is an official project by Composer so they should also allow that after scanning.
This takes time because they still go on every package in vendor and check it. However the use of create-project is less common than adding new packages with composer install
Another thing I would need to do after I have the blank project: I will need to zip each package in vendor and add that to the Satis repo because whenever I'll run composer install it will not be able to install these packages if they don't exist on my local repo. Going to be really annoying to separately zip each package.. unless I'll find some way to do it quicker haha. Because when I run composer install when I'm offline (tested in my local network), then even if the other packages are already installed, it will still fail to install only the missing package when it can't connect to Packagist. Unless I will find a way to make it ignore the fact that he can't connect to Packagist and only install my added packages
So right now what I need is for them to do composer create-project for both Satis and Laravel 9, then whenever I need packages it should take less time as they just drop it in my zip packages folder and I run php bin/satis build and it's ready
It is still cumbersome, and I haven't actually tested it outside my local PC, but if it works, it is much better than being stuck for years on Laravel 6 and unsupported packages
Level 8
@jlrdw they told me they mostly support Java and NodeJS so I think they are using Spring for other projects. From what I understood, the previous developer that was hired and started this project was also a novice and since the Manager who wanted this system is not technical to understand future implications of choosing certain stacks, Laravel was chosen even though it did not have much support in this company. I am surprised no one at the IT team at the time said something about choosing PHP/Laravel (or even allowed it) if it's not supported like that
Level 80
It is still cumbersome, and I haven't actually tested it outside my local PC, but if it works, it is much better than being stuck for years on Laravel 6 and unsupported packages
@Ligonsker This makes absolutely no sense.
So they won’t let you directly connect to Packagist because of security reasons, but happy for you to remain on old and potentially insecure versions of software…?
I also fail to see how maintaining a private mirror of Packagist really solves the problem either if you’re just pulling packages from a public package repository, to a private package repository… It’s still the same packages and code.
Level 75
@Ligonsker A while back there was an exploit in laravel, maybe that makes the team more nervous: https://github.com/ambionics/laravel-exploits
A side note, I do not use extra packages, just the ones that come with laravel. In one app for a non-profit bank (checking) data is imported, but I wrote the csv import function to handle it, I do not use the laravel excel package.
Just because a package is on github does not mean it's safe. However the most used and well updated ones are normally safe.
Like the laravel excel one, I am sure it is safe, but I do not need such a package myself to import csv data.
Edit:
One problem in laravel is so many trust validation alone. Don't, use validation and strip_tags.
1 like
Level 8
@jlrdw Yep their not consistent (I told someone here that the team actually accepted certain package but rejected the same package when inspected by another person)
And I hope they won't find out about this exploit xD
By strip_tags you mean to use PHP's strip_tags function on every user input right? What about htmlspecialchars instead?
Please or to participate in this conversation.