docs: Prepare 1.2.0 release#19
Conversation
Bumps the package to 1.2.0 with changelog entries for installing a plugin's own dependencies into the host and for local directory paths as an install source.
Code Review SummaryThis release (1.2.0) introduces significant improvements to plugin dependency management, allowing plugins to declare and install their own Composer requirements. It also adds support for local path installations. 🚀 Key Improvements
💡 Minor Suggestions
|
| return; | ||
| } | ||
|
|
||
| $manifest = json_decode((string) file_get_contents($composerFile), true); |
There was a problem hiding this comment.
When parsing composer.json, it is safer to use JSON_THROW_ON_ERROR or handle potential nulls from json_decode more explicitly, though the subsequent check for is_array covers major failures.
| $manifest = json_decode((string) file_get_contents($composerFile), true); | |
| $manifest = json_decode((string) file_get_contents($composerFile), true, 512, JSON_THROW_ON_ERROR); |
| $repoName = is_string($name) ? $name : 'plugin-'.substr(md5(json_encode($repository)), 0, 8); | ||
|
|
||
| $this->composer->run( | ||
| ['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository)], |
There was a problem hiding this comment.
Passing json_encode($repository) directly into a shell command via run can lead to shell injection or escaping issues if the repository URL or config contains special characters. Although Symfony\Component\Process handles array-to-string conversion, it is safer to ensure the input is sanitized or that json_encode flags prevent unexpected character interpretation.
| ['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository)], | |
| ['composer', 'config', '--no-interaction', 'repositories.'.$repoName, json_encode($repository, JSON_UNESCAPED_SLASHES)], |
Cuts the 1.2.0 release, bringing the merged dependency-install work (#18) to
main. Also switches the version marker to the standardversionfield.