我想在我的项目中添加通过Packagist(至少不是官方版本)不可用的PHP库。这是我现在正在做的一个例子:
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
运行$ composer install会产生composer.lock条目,如下所示:
"packages": [
{
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"reference": null,
"shasum": null
},
"type": "library",
"autoload": {
"files": [
"fpdf.php"
]
}
}
据我所知,没有可用的数据可用于检查zip文件的完整性。 (我错过了什么吗?)
有没有办法为构建项目依赖项时Composer使用的zip文件指定哈希值?我想确保zip内容没有改变,也不能被篡改。
答案 0 :(得分:1)
{
"repositories": [
{
"type": "package",
"package": {
"name": "fpdf/fpdf",
"version": "1.81.0",
"dist": {
"type": "zip",
"url": "http://www.fpdf.org/en/dl.php?v=181&f=zip",
"shasum" :"f832b04a5158645330d29bdb7265652dbcb6e4c3"
},
"autoload": {
"files": ["fpdf.php"]
}
}
}
],
"require": {
"fpdf/fpdf": "1.81.0"
},
"config": {
"secure-http": false
}
}
如果shasum不同,你可以将shasum添加到存储库设置,你将在编辑器安装期间获得异常