Skip to content

docs: Prepare 1.2.0 release#19

Merged
nfebe merged 1 commit into
devfrom
release-1.2.0
Jul 4, 2026
Merged

docs: Prepare 1.2.0 release#19
nfebe merged 1 commit into
devfrom
release-1.2.0

Conversation

@nfebe

@nfebe nfebe commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Cuts the 1.2.0 release, bringing the merged dependency-install work (#18) to main. Also switches the version marker to the standard version field.

Bumps the package to 1.2.0 with changelog entries for installing a plugin's own dependencies into the host and for local directory paths as an install source.
@sourceant

sourceant Bot commented Jul 4, 2026

Copy link
Copy Markdown

Code Review Summary

This release (1.2.0) introduces significant improvements to plugin dependency management, allowing plugins to declare and install their own Composer requirements. It also adds support for local path installations.

🚀 Key Improvements

  • Added support for local path plugin installation via plugin:install.
  • Automatic dependency resolution and installation from the plugin's composer.json.
  • Integration with wikimedia/composer-merge-plugin for unified dependency trees.
  • Standardized versioning using the version field in composer.json.

💡 Minor Suggestions

  • Standardize json_decode with error handling.
  • Clarify relative vs absolute path behavior in documentation.

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

return;
}

$manifest = json_decode((string) file_get_contents($composerFile), true);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When parsing composer.json, it is safer to use JSON_THROW_ON_ERROR or handle potential nulls from json_decode more explicitly, though the subsequent check for is_array covers major failures.

Suggested change
$manifest = json_decode((string) file_get_contents($composerFile), true);
$manifest = json_decode((string) file_get_contents($composerFile), true, 512, JSON_THROW_ON_ERROR);

$repoName = is_string($name) ? $name : 'plugin-'.substr(md5(json_encode($repository)), 0, 8);

$this->composer->run(
['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository)],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing json_encode($repository) directly into a shell command via run can lead to shell injection or escaping issues if the repository URL or config contains special characters. Although Symfony\Component\Process handles array-to-string conversion, it is safer to ensure the input is sanitized or that json_encode flags prevent unexpected character interpretation.

Suggested change
['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository)],
['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository, JSON_UNESCAPED_SLASHES)],

@nfebe nfebe changed the base branch from main to dev July 4, 2026 12:57
@nfebe nfebe merged commit 7c61b24 into dev Jul 4, 2026
2 checks passed
@nfebe nfebe deleted the release-1.2.0 branch July 4, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant