Create composer.libraries.json

Created on 8 December 2023, about 1 year ago

Problem/Motivation

A "composer.libraries.json" file contains information about all up-to-date libraries required by the module itself, and so we will be using this file to install all libraries by merging the "composer.libraries.json" with the "composer.json" file of our Drupal website.

This works in combination with wikimedia/composer-merge-plugin

Steps to reproduce

No libraries are download automatically using merge plugin

Proposed resolution

Add the composer.libraries.json file to this module and add the following snippet to your project's composer.json after requiring composer-merge-plugin:

    "extra": {
        ...
        "merge-plugin": {
            "include": [
                "web/modules/contrib/splide/composer.libraries.json"
            ]
        },
        ...
    }
Feature request
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

🇧🇪Belgium fernly

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @fernly
  • Status changed to Needs review about 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7 updated deps
    last update about 1 year ago
    18 pass
  • 🇧🇪Belgium fernly

    Patch providing the composer.libraries.json file.

  • Status changed to Closed: works as designed about 1 year ago
  • 🇮🇩Indonesia gausarts

    I understand it is _very_ useful, so thank you.

    I also understand I would have consequences I couldn't afford if I put this in, so sorry.

    Unless somebody is willing to pay me for the maintenance works, of course. Until then, I can only give what I can afford.

    I can assure you I know what I am talking about :)

    Similar reasons to Slick's, few objections are:

    1. Security. If you had worked with Slick since v1, 2014, you'll know what it is. I don't want to chase updating versions when having such an issue. Even if you guaranteed safe. I don't want to update modules just because I have to update library minor versions due to some newly found security issues in the codes that I didn't even touch. Even if it is a dependency, it is a totally separate entity.
    2. IMHO, managing libraries should be centralized at root composer.json, and known to the persons installing Drupal. Two good reasons: I prefer Slick v1.6 than newer ones. I don't want modules, not even my own, to install libraries without my consents. Again, security-wise. Some security holes were found from just downloading libraries as they are. SVG library security issue is morebthan convincing. Dragging modules down due to third party mistakes are not good for modules' health. Worse when you have less time to be responsible for third party mistakes.

    At any rate aka not totally off-handed, relevant docs are provided in this module accordingly, whether using composer, or npm.

    More details are in Blazy's docs under Composer as referenced in this module.

    I intentionally replied in length so I can reference it since this issue repeats.

    I hope you understand my wordings very well :)

Production build 0.71.5 2024