Drop dev dependencies that arrive transitively#43
Merged
Conversation
Three require-dev entries duplicated what other packages already provide. roave/security-advisories is now redundant with composer audit, which CI runs; dealerdirect/phpcodesniffer-composer-installer arrives via the sniff packages (phpcsutils), so only its allow-plugins entry need remain; and squizlabs/php_codesniffer is pulled by WPCS and VIPCS, which resolve the most compatible version themselves. brain/monkey, mockery and the polyfills stay, since the test suite imports or requires them directly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three development dependencies were declared directly while other packages already pull them in, so the boilerplate was telling consumers to require things they get for free.
roave/security-advisoriesblocked installing known-vulnerable versions at composer time. Composer's owncomposer audit, which the CI lint job runs, now covers that ground, so the metapackage is redundant.dealerdirect/phpcodesniffer-composer-installeris a dependency of the sniff tooling itself (viaphpcsstandards/phpcsutils); only itsallow-pluginsentry needs to stay, since Composer must still be told the plugin may run.squizlabs/php_codesnifferis required by WPCS, VIPCS and PHPCompatibility, which between them resolve the most compatible version — here, 3.13.5 — without our help.I checked the rest of the dev block while I was at it.
brain/monkeyandyoast/phpunit-polyfillsare both root-only: nothing else pulls them, and the test suite needs them (Brain Monkey is imported in the base test case, the polyfills are required by the WordPress core integration framework).mockeryis pulled in by Brain Monkey, but the base test case importsMockeryPHPUnitIntegrationdirectly, so it stays declared on the principle that you require what you import. That is the line: libraries the code imports are declared, tools whose version is dictated by a parent package are not.Verified with the full suite — coding standards, unit tests, PHPStan, lint, normalisation, Infection at 100% MSI, and a clean
composer audit.