You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package symfony/var-dumper is currently required in the main "require" channel.
From my research, there is no valid reason for it to be loaded outside of a dev environment (for mongodb-odm).
I think it is widely accepted that putting this package in a production environment can be dangereous.
The verbosity of the var-dumper can reveal very compromising information. For example, if a dump() or a dd() is inadvertently left in the code, and pushed to production.
Since this package requires the var-dumper in the main channel, then the var-dumper is always installed & loaded on all projects containing mongodb-odm.
Thank you for your attention, hope this can be addressed.
The text was updated successfully, but these errors were encountered:
Theoretically we could move the requirement to require-dev, put it in suggest, and throw an exception in the command if package is not present. But technically that's a BC break. Given dangling var_dump or print_r are as "dangerous" as Symfony's function I'm reluctant to do so right away.
The verbosity of the var-dumper can reveal very compromising information. For example, if a dump() or a dd() is inadvertently left in the code, and pushed to production.
In the meantime while we're giving this a second thought, I'd advise to set simple pre-commit git hooks or even employ CI pipeline for such detections. In our project we're using https://github.com/phpro/grumphp with following task:
You're right, var_dump or print_r may be "dangerous" as well.
However, Symfony's var-dumper package is intended (I guess) for debugging (only?), and is quite popular those days.
If you are not too careful, you easily end up with var-dumper loaded in production ("because of" doctrine-mongodb). Eventually, there may be unpleasant surprises then.
I totally understand your point of view, and the fact that this package is required by a Command. This was a suggestion, but I believe it's a relevant one.
If you are not too careful, you easily end up with var-dumper loaded in production ("because of" doctrine-mongodb). Eventually, there may be unpleasant surprises then.
Or a fatal error due to an unknown function dump :P Either way one should go all the way to prevent this from happening in the first place ;)
Feature Request
The package symfony/var-dumper is currently required in the main "require" channel.
From my research, there is no valid reason for it to be loaded outside of a dev environment (for mongodb-odm).
I think it is widely accepted that putting this package in a production environment can be dangereous.
The verbosity of the var-dumper can reveal very compromising information. For example, if a dump() or a dd() is inadvertently left in the code, and pushed to production.
Since this package requires the var-dumper in the main channel, then the var-dumper is always installed & loaded on all projects containing mongodb-odm.
Thank you for your attention, hope this can be addressed.
The text was updated successfully, but these errors were encountered: