gstreamer0.10-ffmpeg
gstreamer0.10-plugins-good packages.
We're going to install a totally new package into our app called the "security checker". The security checker is a tool that looks at your application's dependencies and tell you if any of them have known security vulnerabilities. But, full disclosure, as cool as that is... the real reason I want to install this library is because it's a great way to look at Symfony's all-important "recipe" system.
At your terminal, run:
composer require sec-checkerIn a real app, you should probably pass --dev to add this to your dev dependencies... but it won't matter for us.
There is, however, something weird here. Specifically... sec-checker is not a valid package name! In the Composer world, every package must be something/something-else: it can't just be sec-checker. So what the heck is going on?
Back in PhpStorm, open up composer.json. When we started the project, we had just a few dependencies in this file. One of them is symfony/flex.
| { | |
| ... lines 2 - 3 | |
| "require": { | |
| "php": "^7.2.5", | |
| "ext-ctype": "*", | |
| "ext-iconv": "*", | |
| "sensio/framework-extra-bundle": "^5.5", | |
| "sensiolabs/security-checker": "^6.0", | |
| "symfony/console": "5.0.*", | |
| "symfony/dotenv": "5.0.*", | |
| "symfony/flex": "^1.3.1", | |
| "symfony/framework-bundle": "5.0.*", | |
| "symfony/yaml": "5.0.*" | |
| }, | |
| ... lines 16 - 67 | |
| } |
This is a composer plugin that adds two special features to Composer itself. The first is called "aliases".
At your browser, go to http://flex.symfony.com to find and big page full of packages. Search for security. Better, search for sec-checker. Boom! This says that there is a package called sensiolabs/security-checker and it has aliases of sec-check, sec-checker, security-checker and some more.
The alias system is simple: because Symfony Flex is in our app, we can say composer require security-checker, and it will really download sensiolabs/security-checker.
You can see this in our terminal: we said sec-checker, but ultimately it downloaded sensiolabs/security-checker. That's also what Composer added to our composer.json file. So... aliases are just a nice shortcut feature... but it's kinda cool! You can almost guess an alias when you want to install something. Want a logger? Run composer require logger to get the recommended logger. Need to mail something? composer require mailer. Need to eat a cake? composer require cake!
The second feature that Flex adds to Composer is the really important one. It's the recipe system.
Back at the terminal, after installing the package, it said:
Symfony operations: 1 recipe configuring sensiolabs/security-checker.
Interesting. Run:
git statusWhoa! We expected composer.json and composer.lock to be modified... that's how composer works. But something also modified a symfony.lock file... and added a totally new security_checker.yaml file!
Ok, first, symfony.lock is a file that's managed by Flex. You don't need to worry about it, but you should commit it. It keeps a big list of which recipes have been installed.
So, who created the other file? Open it up: config/packages/security_checker.yaml.
| services: | |
| _defaults: | |
| autowire: true | |
| autoconfigure: true | |
| SensioLabs\Security\SecurityChecker: null | |
| SensioLabs\Security\Command\SecurityCheckerCommand: null |
Each package you install may have a Flex "recipe". The idea is beautifully simple. Instead of telling people to install a package and then create this file, and update this other file in order to get things working, Flex executes a recipe which... just does that stuff for you! This file was added by the sensiolabs/security-checker recipe!
You don't need to worry about the specifics of what's inside this file right now. The point is, thanks to this file, we have a new bin/console command. Run:
php bin/consoleSee that security:check command? That wasn't there a second ago. It's there now thanks to the new YAML file. Try it:
php bin/console security:checkNo packages have known vulnerabilities! Awesome!
Here is the big picture: thanks to the recipe system, whenever you install a package, Flex will check to see if that package has a recipe and, if it does, will install it. A recipe can do many things, like add files, create directories or even modify a few files, like adding new lines to your .gitignore file.
The recipe system is a game-changer. I love it because anytime I need a new package, all I need to do is install it. I don't need to add configuration files or modify anything because the recipe automates all that boring work.
In fact, this recipe did something else we didn't notice. At the terminal, run:
git diff composer.jsonWe expected that Composer would add this new line to the require section. But there is also a new line under the scripts section. That was done by the recipe.
| { | |
| ... lines 2 - 3 | |
| "require": { | |
| ... lines 5 - 8 | |
| "sensiolabs/security-checker": "^6.0", | |
| ... lines 10 - 14 | |
| }, | |
| ... lines 16 - 45 | |
| "scripts": { | |
| "auto-scripts": { | |
| ... lines 48 - 49 | |
| "security-checker security:check": "script" | |
| }, | |
| ... lines 52 - 57 | |
| }, | |
| ... lines 59 - 67 | |
| } |
Thanks to this, whenever you run:
composer installAfter it finishes, it automatically runs the security checker.
The point is: to use the security checker, the only thing we needed to do was... install it. Its recipe took care of the rest of the setup.
Now... if you're wondering:
Hey! Where the heck does this recipe live? Can I see it?
That's a great question! Let's find out where these recipes live and what they look like next.
// composer.json
{
"require": {
"php": "^7.2.5",
"ext-ctype": "*",
"ext-iconv": "*",
"easycorp/easy-log-handler": "^1.0.7", // v1.0.9
"sensio/framework-extra-bundle": "^5.5", // v5.5.3
"symfony/asset": "5.0.*", // v5.0.5
"symfony/console": "5.0.*", // v5.0.4
"symfony/debug-bundle": "5.0.*", // v5.0.4
"symfony/dotenv": "5.0.*", // v5.0.4
"symfony/flex": "^1.3.1", // v1.9.10
"symfony/framework-bundle": "5.0.*", // v5.0.4
"symfony/monolog-bundle": "^3.0", // v3.5.0
"symfony/profiler-pack": "*", // v1.0.4
"symfony/twig-pack": "^1.0", // v1.0.0
"symfony/var-dumper": "5.0.*", // v5.0.4
"symfony/webpack-encore-bundle": "^1.7", // v1.7.3
"symfony/yaml": "5.0.*" // v5.0.4
},
"require-dev": {
"symfony/profiler-pack": "^1.0" // v1.0.4
}
}