Why only relocate packages that require composer/installers ?

Question

Why only relocate packages that require composer/installers ?

jcnventura opened this issue 4 years ago · comments

For a Drupal module, I'd like to be able to tell users to install that one package in web/libraries like this:

"extra": {
  "installer-paths": {
    "web/libraries/{$name}": ["type:drupal-library", "w8tcha/ckeditor-wordcount-plugin"],
  }
}

This works fine, if the module is required by a distribution, and I require that distribution in my site's root composer.json. So the composer.json order goes like this:

Site root (requires distribution and composer/installers)
Distribution (requires drupal/ckwordcount and drupal/core which then requires composer/installers)
drupal/ckwordcount module (requires w8tcha/ckeditor-wordcount-plugin and composer/installers)
w8tcha/ckeditor-wordcount-plugin (is of type library, doesn't require anything).

However, if the module is directly required by the site's root composer.json the path relocation doesn't work at all. It seems to be because of the rule that the required package must require composer/installers. I guess one simple way to fix this would be to create a dummy package that only requires composer/installers and the plugin, but then users would lose the ability to control which version of the plugin gets used.

Is the requirement for the dependent package to require composer/installers relevant at all? Especially when it is easily bypassed via an intermediate package? If this is because of security, we clearly have a package-in-the-middle vulnerability here.

Joao Ventura · Answer 1 · Wed Sep 23 2020 16:13:42 GMT+0800 (China Standard Time)

See also #347 for the same problem

Joao Ventura · Answer 2 · Sat Sep 26 2020 17:46:25 GMT+0800 (China Standard Time)

I've now added composer/installers as a requirement to the drupal/ckwordcount module (instead of a dummy package), and still it doesn't install the plugin in the path configured by extra/installer-paths.

Jordi Boggiano · Answer 3 · Tue Dec 08 2020 23:29:10 GMT+0800 (China Standard Time)

We just do not support changing the paths of arbitrary packages, as per https://github.com/composer/installers#should-we-allow-dynamic-package-types-or-paths-no - you can use https://github.com/oomphinc/composer-installers-extender if you must.

weseze · Answer 4 · Fri Jan 15 2021 20:18:21 GMT+0800 (China Standard Time)

@Seldaek: What we are trying to do is set the installer path for a package from our own project/composer file. It is not the intent for the author of "w8tcha/ckeditor-wordcount-plugin" to force the installation in a specific directory.

This issue still persists...

Jordi Boggiano · Answer 5 · Fri Jan 15 2021 20:20:41 GMT+0800 (China Standard Time)

@weseze see what I wrote above #460 (comment)

weseze · Answer 6 · Fri Jan 15 2021 20:26:49 GMT+0800 (China Standard Time)

I don't understand what you are referring to... :(

The article in your link says:
"Should we allow dynamic package types or paths? No. ... The ability for a package author to determine where a package will be installed either through setting the path directly in their composer.json or through a dynamic package type: "type": "framework-install-here"."

That is not what we are trying to do. The package in our example is "w8tcha/ckeditor-wordcount-plugin", nothing needs to change in that package.

We are merely trying to install that package in our own project and have the files somewhere else the the /vendor/ folder.

Is this not what composer installers is for?