WEBVTT

NOTE Created by CaptionSync from Automatic Sync Technologies www.automaticsync.com

00:00:01.026 --> 00:00:06.026 align:middle
We're going to install a totally new package
into our app called the "security checker".

00:00:06.416 --> 00:00:11.916 align:middle
The security checker is a tool that looks at
your application's dependencies and tell you

00:00:11.916 --> 00:00:15.696 align:middle
if any of them have known
security vulnerabilities.

00:00:16.496 --> 00:00:20.166 align:middle
But, full disclosure, as cool as that is...

00:00:20.316 --> 00:00:26.016 align:middle
the real reason I want to install this
library is because it's a great way to look

00:00:26.016 --> 00:00:29.146 align:middle
at Symfony's all-important "recipe" system.

00:00:30.056 --> 00:00:35.116 align:middle
At your terminal, run: composer
require sec-checker In a real app,

00:00:35.236 --> 00:00:40.586 align:middle
you should probably pass -- dev to
add this to your dev dependencies...

00:00:40.636 --> 00:00:42.216 align:middle
but it won't matter for us.

00:00:42.866 --> 00:00:45.866 align:middle
There is, however, something weird here.

00:00:46.306 --> 00:00:47.426 align:middle
Specifically...

00:00:47.626 --> 00:00:51.336 align:middle
sec-checker is not a valid package name!

00:00:51.716 --> 00:00:57.556 align:middle
In the Composer world, every package
must be something/something-else:

00:00:57.856 --> 00:00:59.766 align:middle
it can't just be sec-checker.

00:01:00.216 --> 00:01:02.036 align:middle
So what the heck is going on?

00:01:02.766 --> 00:01:05.766 align:middle
Back in PhpStorm, open up composer.json.

00:01:06.416 --> 00:01:11.126 align:middle
When we started the project, we had
just a few dependencies in this file.

00:01:11.766 --> 00:01:14.516 align:middle
One of them is symfony/flex.

00:01:14.916 --> 00:01:21.756 align:middle
This is a composer plugin that adds two
special features to Composer itself.

00:01:21.756 --> 00:01:24.006 align:middle
The first is called "aliases".

00:01:25.186 --> 00:01:31.146 align:middle
At your browser, go to http://flex.symfony.com
to find and big page full of packages.

00:01:31.196 --> 00:01:33.206 align:middle
Search for security.

00:01:34.516 --> 00:01:37.026 align:middle
Better, search for sec-checker.

00:01:37.586 --> 00:01:46.146 align:middle
Boom! This says that there is a package called
sensiolabs/security-checker and it has aliases

00:01:46.146 --> 00:01:51.496 align:middle
of sec-check, sec-checker,
security-checker and some more.

00:01:52.026 --> 00:01:56.536 align:middle
The alias system is simple:
because Symfony Flex is in our app,

00:01:56.896 --> 00:02:00.456 align:middle
we can say composer require security-checker,

00:02:00.736 --> 00:02:05.316 align:middle
and it will really download
sensiolabs/security-checker.

00:02:06.146 --> 00:02:09.666 align:middle
You can see this in our terminal:
we said sec-checker,

00:02:10.036 --> 00:02:14.426 align:middle
but ultimately it downloaded
sensiolabs/security-checker.

00:02:14.866 --> 00:02:18.716 align:middle
That's also what Composer added
to our composer.json file.

00:02:19.916 --> 00:02:23.456 align:middle
So... aliases are just a
nice shortcut feature...

00:02:23.896 --> 00:02:25.696 align:middle
but it's kinda cool!

00:02:26.136 --> 00:02:29.756 align:middle
You can almost guess an alias when
you want to install something.

00:02:30.236 --> 00:02:31.206 align:middle
Want a logger?

00:02:31.676 --> 00:02:35.906 align:middle
Run composer require logger
to get the recommended logger.

00:02:36.676 --> 00:02:38.006 align:middle
Need to mail something?

00:02:38.956 --> 00:02:40.486 align:middle
composer require mailer.

00:02:43.226 --> 00:02:44.276 align:middle
Need to eat a cake?

00:02:44.486 --> 00:02:46.156 align:middle
composer require cake!

00:02:46.926 --> 00:02:51.506 align:middle
The second feature that Flex adds to
Composer is the really important one.

00:02:51.786 --> 00:02:53.406 align:middle
It's the recipe system.

00:02:53.406 --> 00:03:00.306 align:middle
Back at the terminal, after installing
the package, it said: Symfony operations:

00:03:00.486 --> 00:03:05.656 align:middle
1 recipe configuring
sensiolabs/security-checker.

00:03:06.396 --> 00:03:07.006 align:middle
Interesting.

00:03:07.466 --> 00:03:11.276 align:middle
Run: git status Whoa!

00:03:12.056 --> 00:03:16.876 align:middle
We expected composer.json and
composer.lock to be modified...

00:03:16.996 --> 00:03:18.636 align:middle
that's how composer works.

00:03:19.026 --> 00:03:22.626 align:middle
But something also modified
a symfony.lock file...

00:03:23.156 --> 00:03:28.276 align:middle
and added a totally new security_checker.yaml
file!

00:03:29.036 --> 00:03:34.236 align:middle
Ok, first, symfony.lock is a
file that's managed by Flex.

00:03:34.236 --> 00:03:37.796 align:middle
You don't need to worry about
it, but you should commit it.

00:03:38.286 --> 00:03:41.946 align:middle
It keeps a big list of which
recipes have been installed.

00:03:43.356 --> 00:03:45.136 align:middle
So, who created the other file?

00:03:45.696 --> 00:03:50.476 align:middle
Open it up:
config/packages/security_checker.yaml.

00:03:50.976 --> 00:03:54.886 align:middle
Each package you install
may have a Flex "recipe".

00:03:55.516 --> 00:03:58.096 align:middle
The idea is beautifully simple.

00:03:59.006 --> 00:04:03.986 align:middle
Instead of telling people to install
a package and then create this file,

00:04:03.986 --> 00:04:10.446 align:middle
and update this other file in order to get
things working, Flex executes a recipe which...

00:04:10.646 --> 00:04:12.676 align:middle
just does that stuff for you!

00:04:13.226 --> 00:04:18.306 align:middle
This file was added by the
sensiolabs/security-checker recipe!

00:04:18.836 --> 00:04:23.106 align:middle
You don't need to worry about the specifics
of what's inside this file right now.

00:04:23.596 --> 00:04:28.536 align:middle
The point is, thanks to this file,
we have a new bin/console command.

00:04:29.166 --> 00:04:34.766 align:middle
Run: php bin/console See
that security:check command?

00:04:35.396 --> 00:04:37.176 align:middle
That wasn't there a second ago.

00:04:37.756 --> 00:04:40.836 align:middle
It's there now thanks to the new YAML file.

00:04:41.626 --> 00:04:49.066 align:middle
Try it: php bin/console security:check
No packages have known vulnerabilities!

00:04:49.376 --> 00:04:57.036 align:middle
Awesome! Here is the big picture: thanks to the
recipe system, whenever you install a package,

00:04:57.276 --> 00:05:03.966 align:middle
Flex will check to see if that package has
a recipe and, if it does, will install it.

00:05:03.966 --> 00:05:12.086 align:middle
A recipe can do many things, like add files,
create directories or even modify a few files,

00:05:12.576 --> 00:05:15.366 align:middle
like adding new lines to your .gitignore file.

00:05:16.496 --> 00:05:19.196 align:middle
The recipe system is a game-changer.

00:05:19.716 --> 00:05:25.816 align:middle
I love it because anytime I need a new
package, all I need to do is install it.

00:05:25.816 --> 00:05:29.176 align:middle
I don't need to add configuration
files or modify anything

00:05:29.316 --> 00:05:32.556 align:middle
because the recipe automates
all that boring work.

00:05:33.046 --> 00:05:36.266 align:middle
In fact, this recipe did
something else we didn't notice.

00:05:36.816 --> 00:05:42.306 align:middle
At the terminal, run: git
diff composer.json We expected

00:05:42.306 --> 00:05:45.936 align:middle
that Composer would add this
new line to the require section.

00:05:46.136 --> 00:05:49.906 align:middle
But there is also a new line
under the scripts section.

00:05:50.276 --> 00:05:52.456 align:middle
That was done by the recipe.

00:05:53.026 --> 00:05:58.006 align:middle
Thanks to this, whenever you run:
composer install After it finishes,

00:05:58.256 --> 00:06:00.776 align:middle
it automatically runs the security checker.

00:06:02.036 --> 00:06:07.646 align:middle
The point is: to use the security checker,
the only thing we needed to do was...

00:06:07.896 --> 00:06:08.686 align:middle
install it.

00:06:08.996 --> 00:06:11.916 align:middle
Its recipe took care of the rest of the setup.

00:06:13.136 --> 00:06:15.126 align:middle
Now... if you're wondering: Hey!

00:06:15.346 --> 00:06:17.386 align:middle
Where the heck does this recipe live?

00:06:17.686 --> 00:06:18.486 align:middle
Can I see it?

00:06:19.136 --> 00:06:24.326 align:middle
That's a great question!

00:06:24.326 --> 00:06:25.636 align:middle
Let's look at it next.