mxr576 / ddqg
Drupal Dependency Quality Gate - aims to helps with running Drupal projects on secure and high quality Drupal dependencies
Installs: 464
Dependents: 1
Suggesters: 0
Security: 0
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 6
Type:project
Requires
- php: ~8.1.0 || ~8.2.0
- composer-runtime-api: ^2.2
- caseyamcl/guzzle_retry_middleware: ^2.8
- composer/semver: ^3.3
- guzzlehttp/guzzle: ^7.5
- halaxa/json-machine: ^1.1
- kevinrob/guzzle-cache-middleware: ^4.0
- league/flysystem: ^1.1.10
- loophp/collection: ^7.1
- loophp/iterators: ^2.3
- prewk/xml-string-streamer: ^1.2
- psr/log: ^3.0
Requires (Dev)
- ergebnis/composer-normalize: ^2.30
- friendsofphp/php-cs-fixer: ^3.16
- monolog/monolog: ^3.3
- phpstan/phpstan: ^1.10
- phpstan/phpstan-deprecation-rules: ^1.0
- symfony/stopwatch: ^6.2
This package is auto-updated.
Last update: 2024-12-22 00:52:46 UTC
README
This project aims to help run Drupal projects on secure and high-quality Drupal dependencies.
CHECK OUT the mxr576/ddqg-composer-audit package that
extends composer audit
command with advisories originating from the ^dev-no-[a-zA-Z]+-versions$
releases.
Releases
Releases of this package that matches the ^dev-no-[a-zA-Z]+-versions$
regex ensure that your project
doesn't have installed dependencies with known quality problems.
$ composer require --dev mxr576/ddqg:[dev-no-insecure-versions|dev-no-unsupported-versions|dev-non-d10-compatible-versions]
dev-no-insecure-versions
: Project releases (versions) affected by public security advisories (PSAs), only in currently supported branches of a project.dev-no-deprecated-versions
:- Projects flagged with Obsolete development status by maintainers
dev-no-unsupported-versions
: This was inspired by this thread and it is a list of:- Projects flagged with Unsupported maintenance status by maintainers
- Project releases (versions) from unsupported branches
- Project releases that are not covered by the Drupal Security Team
dev-non-d10-compatible-versions
: For Drupal 9 projects only, prevents installation of package versions that are not Drupal 10 compatible. It can make the Drupal 10 upgrade more painless.- Warning: This is only ~99% accurate because core compatibility information sometimes cannot be identified from the information available on Update Status API. compatible. See Github Actions logs for skipped projects/versions.
- [PLANNED] An opinionated list of projects that should be avoided
Should you depend on both dev-no-insecure-versions
and dev-no-unsupported-versions
and at the same time?
YES, you should. The dev-no-insecure-versions
only contains version ranges affected by a PSA if they are in a
supported branch by maintainers. When a branch becomes unsupported, related version ranges disappear from this list.
The reasoning behind this implementation is that if a branch is not supported by maintainers (neither covered Drupal
Security Team) then your biggest problem is not depending on a version that has known PSA (which may or may not be
leveraged on your project) but the fact that your project depends on an unsupported version.
TODOs
- Ignore releases with Drupal 7 compatibility as there is no plan to support Drupal 7