- Mentioned In
- rMTPS2cd13605043e: Remove explicit dependency on ext-ast
T235390: Merge taint-check-plugin into mediawiki-phan-config
T235383: Release taint-check 3.0.0
- Mentioned Here
- T235390: Merge taint-check-plugin into mediawiki-phan-config
T207344: Phan-taint-check-plugin not available for PHP > 7.0
T220589: Support phan in MediaWiki's default composer.json
Huh, the dependency on php-ast is however a problem. Both for CI and local installs. However, given that phan doesn't require it and it provides a fallback, we can probably remove the requirement from seccheck's composer.json - as long as we use phan wrappers around php-ast stuff.
Uhhhh, I just realized that there's a huge problem in doing this: we'd be requiring two versions of phan at the same time. Right now, it'd be 2.2.13 for mediawiki-phan-config, and 1.3.2 for taint-check.
I think the only viable solution is to make both use the same version, and add a constraint on it. The most obvious solution would be to have mw-phan-config require seccheck, and then merge the two jobs. It will still be possible for every repo to disable seccheck (by changing the plugins option in the config).