Skip to content

lib/vendor should be replaced with composer.lock #59

Description

@divinity76

bundling the vendor folder in the repo is a security risk: it creates routine huge chore composer update commits that are basically impossible to code-review, if a developer want to hide a backdoor, doing it in a chore composer-update commit would make it nearly impossible to spot.

Instead of bundling it in the repo itself, running composer install should just be part of some setup/update/installer script, and the repo itself should only have the composer.json (and maybe composer.lock) bundled,

that would make the chore composer update commits trivial to code-review, and it would save ~300MB worth of disk space from the git repository

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions