Solution: we picked https://asset-packagist.org/
The rest of this page is kept for posterity.
Goal: Discuss and determine a long term solution for managing dependencies that are not on Packagist.org
Context
- Tiki uses Composer to manage dependencies.
- Tiki hosts a Satis instance at: https://composer.tiki.org/
- Problem: not everything Tiki uses is available on Packagist.org and this forces us to maintain a long list at https://sourceforge.net/p/tikiwiki/code/HEAD/tree/trunk/doc/devtools/satis.json
- We want to get the code from the source, and avoid any 3rd parties (for security and timely updates)
Requirements
Essential
- Needs to work with Satis: https://composer.tiki.org/
- Take advantage of Semantic Versioning / Composer Stability Flags
- Not having to install NodeJS and NPM
Nice to have
- Supported by VersionEye: https://blog.versioneye.com/2015/09/20/support-for-composer-asset-plugin/
Note
- We should still try to get packages on Packagist.org because
- The more the libs are visible and used, the better the odds for improved support
Options
- https://asset-packagist.org
- https://github.com/hiqdev/composer-asset-plugin
- https://github.com/php-kit/composer-bower-plugin
- https://packagist.org/packages/fxp/composer-asset-plugin
- https://packagist.org/packages/beelab/bowerphp
- Mentioned here: http://symfony.com/doc/current/frontend/bower.html
- use bower through node & npm (which we want to avoid)
Pros & Cons Support List
| composer-asset-plugin | composer-bower | bower through node & npm | |
| is single command | no | ||
| is php only | yes | no | |
| works with Satis | |||
| supports Semantic Versioning / Composer Stability Flags | |||
| adds values in composer.json automatically | no | ||
| adds values in installed.json automatically | yes |
Suggests for libraries that we can influence
We have to offer ready to use and compiled files to packagist. But some developers don't like to place these files with source code, because it can generate a lot conflicts when working as a team. A very nice solution is to use Travis to build from source and upload files to release section on github. The following .travis.yml generate a jar file and upload it to github.
Examples of libs unavailable from Packagist.org
Success
-
https://github.com/fullcalendar/fullcalendar/issues/2999solved https://packagist.org/packages/fullcalendar/ -
https://github.com/Mottie/tablesorter/issues/1355solved https://packagist.org/packages/mottie/tablesorter
Requests
These are in various states (in process, blocked by technical issue, or ignored)
- https://github.com/cozy/ViewerJS/issues/1
- https://github.com/SVG-Edit/svgedit/pull/174
- https://github.com/Spreadsheets/WickedGrid/issues/4
- https://github.com/openannotation/annotator/pull/661
- https://github.com/harvesthq/chosen/pull/2803
- https://github.com/openlayers/ol2/issues/1514
- https://github.com/mozilla/pdf.js/pull/9349 (see also https://yarnpkg.com/en/package/pdfjs-dist )
Refused