-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce an environment variable for setting abandoned package reporting mode in composer audit #11792
Comments
#11643 is also related. |
In the past, Drupal core (9.x) had various abandoned package dependencies, a situation that was generally acceptable because Drupal core maintainers actively managed those dependencies. Presently, with Drupal 10.1.x, the good news is that it is free from abandoned package dependencies. However, anticipating the possibility of future dependencies on abandoned packages, having a suggested environment variable could prove valuable for suppressing warnings during deployments. In the event that Drupal 10.1.x or subsequent versions reintroduce dependencies on abandoned packages, the proposed environment variable would offer a practical solution to mute warnings, facilitating smoother deployment processes. Alternatively, considering the occasional necessity for such features in the face of real-world challenges, a feature allowing the selective ignoring of abandoned packages on a case-by-case basis might be a viable alternative. (From previous interaction you may know that I am not a big fan of this kind of features, but still, reality sometimes override expectations.)
|
@Seldaek What do you think about this idea? Do you see a chance to have this supported before 2.7.0 is tagged? |
I don't really see the value in doing an additional 2.6 release which would come simultaneously to 2.7, it's just gonna waste my time as almost everyone upgrades to latest anyway.. And IMO this is fine done via And FWIW, I would say blocking deploy based on the audit command is a bad practice. I would absolutely alert/soft-fail on failed audit, but you shouldn't block deploys for some new advisory that may or may not be relevant to your project. |
The goal is actually soft failing, capturing This env var will help with that, thanks a lot! |
#11639 introduced an abandoned package reporting mode without providing an environment variable for customization. The default reporting mode is set to change to "fail" in 2.7.0. Rather than requiring code adjustments in every project to revert to the reporting mode via configuration change in composer.json, it would be favorable to allow configuration through an environment variable in CI environments.
Another use case for implementing this environment variable is the ability to dynamically switch between reporting modes for specific CI jobs as needed (like use
fail
on PR review andreport
ing on nightly scanners that measures collected technical debt).The text was updated successfully, but these errors were encountered: