Packagist与“git clone”和作曲家安装

时间:2016-09-13 15:25:46

标签: php composer-php packagist

只是把包裹推到了包装上:

composer require rokfor/rokfor-slim:dev-master

它正在返回错误

Your requirements could not be resolved to an installable set of packages.

  Problem 1
  - Installation request for rokfor/rokfor-slim 
    dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
  - rokfor/rokfor-slim dev-master requires 
    jlndk/slim-jade ^1.0 -> no matching package found.

如果我正在查看

$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install

一切安装得很好。

我想我在这里缺少一些至关重要的东西。是否不允许使用来自vcs存储库的源将包推送到packagist?

composer.json看起来像:

{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
    {
        "name": "Rokfor",
        "homepage": "http://www.rokfor.ch"
    }
],
"repositories": [
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-jade"
    },
    {
        "type": "vcs",
        "url": "https://github.com/Rokfor/rokfor-php-db"
    },
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-auth"
    }
],
"require": {
    "php": ">=5.5.0",
    "slim/slim": "~3.0",
    "jlndk/slim-jade": "^1.0",
    "rokfor/db": "dev-versioning",
    "monolog/monolog": "^1.17",
    "slim/csrf": "^0.6.0",
    "jeremykendall/slim-auth": "dev-slim-3.x",
    "slim/flash": "^0.1.0",
    "akrabat/rka-ip-address-middleware": "^0.4.0",
    "palanik/corsslim": "dev-slim3",
    "erusev/parsedown": "^1.6",
    "predis/predis": "^1.0",
    "lcobucci/jwt": "^3.1",
    "ext-gd": "*"
},
"require-dev": {
    "phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}

1 个答案:

答案 0 :(得分:0)

在库中,除了packagist.org上提供的库之外,您不能引用任何其他内容。或者,您指示用户引用其他来源以获取包信息。

仅允许根composer.json添加vcs和软件包存储库,除了指示用户执行composer require your/lib之外的其他操作之外,您不能将其作为库影响。这有点令人讨厌,也可能需要考虑安全因素,因为这不仅会为您的个人图书馆打开大门,也会为任何图书馆打开大门。

正如你使用“jlndk / slim-jade”(原作者从他的存储库中发布为0.0.1),另一位作者重新发布它而不将其添加到packagist或更改lib的名称,添加版本标记1.0),任何其他包信息源都可能添加更多包信息,即添加更新的恶意版本,例如一个symfony包。