nette/php-generator should be in require-dev #82
Comments
|
Any dependency we put in composer require spawnia/sailor
composer require --dev symfony/console nette/php-generatorI am not sure if the advantage gained by not installing the deps in prod is worth the extra hassle and source of frustration. Can you provide an objective measurement of the cost of installing those extranuous dependencies (disk usage?)? |
|
@spawnia Coming back to this would it make sense to add the code generation stuff to suggests? So that we make it a peer dependency instead sense it get the point that when using this package in production you should already have done the code generation. |
|
@morloderex You just reiterated what I already said. Again, in order to judge if making this change is worth it I need more information.
|
|
@spawnia well personally sense I am using laravel in my projects i would already have symfony/console installed. I do however believe it's not a question of disk usage but more preferable to not include it in production as code is never generated on the fly in this situation |
|
As I have already said and repeated twice now:
Simplicity of installation has value. There is a tradeoff involved here. I can judge the disadvantage of having extra installation steps, but can not judge the disadvantage of having unnecessary dependencies in production - that is why I need more information to make a decision.
Why? |
|
@spawnia any extra package is adding security risk: the more code, the more probability of security vulnerabilities originating from the package. Compromising prod security is definetelly not worth saving an extra step when installing. |
Generating PHP code should not be used in prod, only in dev. The same is for
symfony/console. Maybe other libs that are in required are used for code gen only, they need to go to dev too.The text was updated successfully, but these errors were encountered: