Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Remove explicit dependency on ext-ast | mediawiki/tools/phan/SecurityCheckPlugin | master | +3 -2 |
Related Objects
- Mentioned In
- rMTPS2cd13605043e: Remove explicit dependency on ext-ast
T235390: Merge taint-check-plugin into mediawiki-phan-config
T235383: Release taint-check 3.0.0 - Mentioned Here
- T235390: Merge taint-check-plugin into mediawiki-phan-config
T207344: Phan-taint-check-plugin not available for PHP > 7.0
T220589: Support phan in MediaWiki's default composer.json
Event Timeline
Note that we don't need to change anything in seccheck itself, because it already requires phan. We only need to update our CI, and then all repos
Huh, the dependency on php-ast is however a problem. Both for CI and local installs. However, given that phan doesn't require it and it provides a fallback, we can probably remove the requirement from seccheck's composer.json - as long as we use phan wrappers around php-ast stuff.
Change 541889 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Remove explicit dependency on ext-ast
Uhhhh, I just realized that there's a huge problem in doing this: we'd be requiring two versions of phan at the same time. Right now, it'd be 2.2.13 for mediawiki-phan-config, and 1.3.2 for taint-check.
I think the only viable solution is to make both use the same version, and add a constraint on it. The most obvious solution would be to have mw-phan-config require seccheck, and then merge the two jobs. It will still be possible for every repo to disable seccheck (by changing the plugins option in the config).
Change 541889 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Remove explicit dependency on ext-ast