Page MenuHomePhabricator
Create Task
Maniphest T235053

Move taint-check to require-dev in composer.json
Closed, DeclinedPublic
Actions

Description

The dependency on PHP == 7.0.0 has gone since T207344, and since we don't support HHVM anymore, taint-check can be moved to require-dev, like we're doing for phan (T220589).

Details

SubjectRepoBranchLines +/-
Remove explicit dependency on ext-astmediawiki/tools/phan/SecurityCheckPluginmaster+3 -2
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Oct 9 2019, 10:44 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 9 2019, 10:44 AM
Daimona added a comment.Oct 9 2019, 11:01 AM

Note that we don't need to change anything in seccheck itself, because it already requires phan. We only need to update our CI, and then all repos

Daimona added a comment.Oct 9 2019, 11:07 AM

Huh, the dependency on php-ast is however a problem. Both for CI and local installs. However, given that phan doesn't require it and it provides a fallback, we can probably remove the requirement from seccheck's composer.json - as long as we use phan wrappers around php-ast stuff.

gerritbot added a comment.Oct 9 2019, 6:38 PM

Change 541889 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Remove explicit dependency on ext-ast

https://gerrit.wikimedia.org/r/541889

gerritbot added a project: Patch-For-Review.Oct 9 2019, 6:38 PM
Daimona mentioned this in T235383: Release taint-check 3.0.0.Oct 13 2019, 2:43 PM
Daimona added a comment.Oct 13 2019, 5:00 PM

Uhhhh, I just realized that there's a huge problem in doing this: we'd be requiring two versions of phan at the same time. Right now, it'd be 2.2.13 for mediawiki-phan-config, and 1.3.2 for taint-check.

I think the only viable solution is to make both use the same version, and add a constraint on it. The most obvious solution would be to have mw-phan-config require seccheck, and then merge the two jobs. It will still be possible for every repo to disable seccheck (by changing the plugins option in the config).

Daimona mentioned this in T235390: Merge taint-check-plugin into mediawiki-phan-config.Oct 13 2019, 5:05 PM
Jdforrester-WMF subscribed.Oct 15 2019, 5:24 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:06 PM
Daimona closed this task as Declined.Nov 3 2019, 2:48 PM

In favour of T235390 per T235053#5571224.

gerritbot added a comment.Nov 25 2019, 9:03 PM

Change 541889 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Remove explicit dependency on ext-ast

https://gerrit.wikimedia.org/r/541889

Daimona mentioned this in rMTPS2cd13605043e: Remove explicit dependency on ext-ast.Nov 26 2019, 12:15 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL