chore: check in composer.lock for supply chain security (#114)

marandaneto · web-flow · commit 419b3551ad9e · 2026-03-31T17:11:43.000+02:00
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,8 @@
+# Exclude files from Composer package archive (packagist distribution).
+# Consumers should resolve their own dependency versions.
+/composer.lock export-ignore
+/test export-ignore
+/phpunit.xml export-ignore
+/phpcs.xml export-ignore
+/.github export-ignore
+/Makefile export-ignore
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,7 @@
-composer.lock
+# We check in composer.lock for CI reproducibility and supply chain security.
+# Composer verifies package integrity hashes on install.
+# Run `composer update` to update dependencies explicitly.
+# composer.lock
 vendor
 composer.phar
 test/posthog.log
diff --git a/composer.lock b/composer.lock
