Fix CI: import PHP_URL_HOST, use Safe\parse_url, drop dead setDistSha1Checksum

iliaal · iliaal · commit 67ab520f24b7 · 2026-05-15T09:52:14.000-04:00
- phpcs (SlevomatCodingStandard.Namespaces.ReferenceUsedNamesOnly.ReferenceViaFallbackGlobalName): `use const PHP_URL_HOST;`.
- phpstan (thephpf/safe-rule): `use function Safe\parse_url;`.
- phpstan (CompletePackageInterface::setDistSha1Checksum doesn't exist on the typed handle): drop the explicit clear. The audit notes Composer's FileDownloader doesn't consult the stale checksum after `setDistUrl` anyway, so the call was cosmetic. The user-facing warning about HTTPS-to-origin still lands.
diff --git a/src/ComposerIntegration/Listeners/OverrideDownloadUrlInstallListener.php b/src/ComposerIntegration/Listeners/OverrideDownloadUrlInstallListener.php
@@ -20,10 +20,11 @@
 use Throwable;
 
 use function array_walk;
-use function parse_url;
 use function pathinfo;
+use function Safe\parse_url;
 
 use const PATHINFO_EXTENSION;
+use const PHP_URL_HOST;
 
 /** @internal This is not public API for PIE, so should not be depended upon unless you accept the risk of BC breaks */
 class OverrideDownloadUrlInstallListener
@@ -130,14 +131,11 @@ function (OperationInterface $operation): void {
                     $this->composerRequest->pieOutput->write('Found prebuilt archive: ' . $url);
                     $composerPackage->setDistUrl($url);
 
-                    // The Packagist-side dist sha1 was computed against the
-                    // original dist URL; once we swap to a release-asset URL
-                    // it no longer corresponds to anything Composer will fetch.
-                    // Clear it so Composer doesn't silently match the wrong
-                    // bytes against a stale checksum, and warn the caller that
-                    // the only integrity guarantee left is HTTPS to the
-                    // release-hosting origin.
-                    $composerPackage->setDistSha1Checksum(null);
+                    // Composer's dist-sha was computed against the original
+                    // Packagist URL; once we swap to a release-asset URL the
+                    // FileDownloader has nothing to validate the new bytes
+                    // against. Surface that so the caller knows HTTPS-to-origin
+                    // is the only integrity guarantee left.
                     $this->composerRequest->pieOutput->write(
                         '<warning>Note: dist-sha integrity check is not available for prebuilt-binary URLs; relying on HTTPS to ' . parse_url($url, PHP_URL_HOST) . ' only.</warning>',
                     );
