Skip to content

chore: check in composer.lock for supply chain security#114

Merged
marandaneto merged 2 commits intomasterfrom
chore/check-in-composer-lock
Mar 31, 2026
Merged

chore: check in composer.lock for supply chain security#114
marandaneto merged 2 commits intomasterfrom
chore/check-in-composer-lock

Conversation

@marandaneto
Copy link
Copy Markdown
Member

@marandaneto marandaneto commented Mar 31, 2026
edited
Loading

Problem

composer.lock was gitignored, so every CI run (composer install) resolved fresh dependencies. If a transitive dependency gets compromised between runs, CI silently pulls the malicious version with no diff to review.

CI runs composer install across 4 PHP versions (8.2, 8.3, 8.4, 8.5) — all resolving independently without a lock file.

Changes

composer.lock (new)

  • Generated and committed — pins all 30 direct and transitive dependencies with content hashes
  • Composer verifies these hashes on every composer install
  • To update dependencies: run composer update and commit the diff

.gitignore

  • Removed composer.lock from gitignore

.gitattributes (new)

  • Added export-ignore rules to exclude files from the Packagist distribution archive:
    • composer.lock — consumers should resolve their own versions
    • /test, /phpunit.xml, /phpcs.xml, /.github, /Makefile — dev/CI files not needed by consumers

@marandaneto
chore: prepare to check in composer.lock for supply chain security
f6e2b82 
- Remove composer.lock from .gitignore
- Add .gitattributes with export-ignore to exclude lock file (and test
  files) from published package on Packagist

The lock file needs to be generated with 'composer install' before merging.
Composer verifies package integrity hashes on install, and checking in
the lock file pins transitive deps for CI reproducibility.
@marandaneto
chore: add composer.lock
46800d8 
Generated with composer install. Pins all 30 direct and transitive
dependencies with content hashes for integrity verification.
@marandaneto marandaneto requested a review from a team March 31, 2026 11:49
cat-ph
cat-ph approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cat-ph cat-ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@marandaneto marandaneto merged commit 419b355 into master Mar 31, 2026
11 checks passed
@marandaneto marandaneto deleted the chore/check-in-composer-lock branch March 31, 2026 15:11
@cat-ph cat-ph mentioned this pull request Apr 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cat-ph cat-ph cat-ph approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marandaneto @cat-ph