Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,4 @@ Desktop.ini
.vs
.vscode
__pycache__/
.phpunit.cache/
2 changes: 0 additions & 2 deletions .jules/superintendent.md

This file was deleted.

29 changes: 13 additions & 16 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,30 +17,27 @@
},
"require": {
"php": "^8.1",
"ext-dom": "*",
"ext-filter": "*",
"ext-hash": "*",
"ext-pcre": "*",
"ext-pdo": "*",
"ext-pdo_mysql": "*",
"ext-dom": "^20031129",
"ext-filter": "^8.1",
"ext-hash": "^8.1",
"ext-pcre": "^8.1",
"ext-pdo": "^8.1",
"ext-pdo_mysql": "^8.1",
Comment on lines +20 to +25

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Pinning core PHP extensions (ext-dom, ext-filter, ext-hash, ext-pcre, ext-pdo, ext-pdo_mysql) to specific versions is highly discouraged and considered a Composer anti-pattern.

Why this is an issue:

  1. Bundled with PHP: These extensions are bundled directly with the PHP runtime. Their versions are tied to the PHP version itself, which is already constrained by "php": "^8.1".
  2. Inconsistent Versioning: Many core extensions do not follow independent semantic versioning (e.g., ext-dom reports its version as 20031129).
  3. Compatibility Failures: Pinning them to specific versions like ^8.1 or ^20031129 can cause unexpected installation failures on newer PHP versions (like PHP 8.2, 8.3, or 8.4) or on different platforms/distributions where the extension versions are reported differently.

Best Practice:

Use * as the version constraint for all PHP extensions that are bundled with PHP. This simply asserts that the extension is enabled, while the PHP version constraint handles the actual runtime compatibility.

Suggested change
"ext-dom": "^20031129",
"ext-filter": "^8.1",
"ext-hash": "^8.1",
"ext-pcre": "^8.1",
"ext-pdo": "^8.1",
"ext-pdo_mysql": "^8.1",
"ext-dom": "*",
"ext-filter": "*",
"ext-hash": "*",
"ext-pcre": "*",
"ext-pdo": "*",
"ext-pdo_mysql": "*",

"ozh/bookmarkletgen": "^1.2",
"rmccue/requests" : "^2.0",
"pomo/pomo" : "^1.4",
"geoip2/geoip2" : "^2.10",
"aura/sql": "^6.0",
"rmccue/requests": "^2.0",
"pomo/pomo": "^1.4",
"geoip2/geoip2": "^2.10",
"aura/sql": "^5.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid pinning Aura SQL to a PHP-8.4-incompatible release

Because php remains ^8.1, this package can be installed on PHP 8.4+; however aura/sql 5.x declares a non-static connect() on classes that extend PDO, while PHP 8.4 added static PDO::connect(). In the PHP 8.5 environment here, merely autoloading Aura\Sql\ExtendedPdo fatals with Cannot make static method PDO::connect() non static, so YOURLS cannot initialize YOURLS\Database\YDB on supported PHP 8.4/8.5 runtimes. Either keep an Aura release compatible with PHP 8.4+ or constrain PHP below 8.4.

Useful? React with 👍 / 👎.

"jakeasmith/http_build_url": "^1.0",
"symfony/polyfill-mbstring": "^1.15",
"symfony/polyfill-intl-idn": "^1.17",
"spatie/array-to-xml": "^2.14"
},
"require-dev": {
"ext-ctype": "*"
"ext-ctype": "^8.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Similar to the core extensions in the require section, ext-ctype is a bundled PHP extension and should not be pinned to a specific version. Reverting this to * ensures compatibility across different PHP runtimes.

Suggested change
"ext-ctype": "^8.1"
"ext-ctype": "*"

},
"config": {
"vendor-dir": "includes/vendor",
"platform": {
"php": "8.3.6"
}
"vendor-dir": "includes/vendor"
},
Comment on lines 39 to 41

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Removing the platform configuration entirely is risky.

Why this is an issue:

Without a defined platform.php version, Composer will resolve dependencies using the local PHP version of whoever runs composer update. If a developer runs composer update on a machine with PHP 8.4, Composer might install packages that require PHP 8.4 (such as aura/sql 6.x), which will then fail to run on older PHP versions (like PHP 8.1 or 8.2) in production or CI.

Best Practice:

Instead of removing the platform configuration, set it to the minimum supported PHP version of the project (8.1.0). This guarantees that all resolved dependencies are strictly compatible with PHP 8.1.0 and above, regardless of the local PHP version used to run Composer commands.

    "config": {
        "vendor-dir": "includes/vendor",
        "platform": {
            "php": "8.1.0"
        }
    },

"autoload": {
"psr-4": {
Expand All @@ -61,4 +58,4 @@
"scripts": {
"post-update-cmd": "bash ./includes/vendor/build-script/yourls-build.sh ./includes/vendor"
}
}
}
69 changes: 33 additions & 36 deletions composer.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 18 additions & 16 deletions docs/0xCARTO_blueprint.md
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
# 0xCARTO BLUEPRINT
# 0xCARTO Blueprint: Repository Overview

## TIER 1: Repository Identity & Ontological Glossary
This repository houses YOURLS (Your Own URL Shortener), a set of PHP scripts that will allow you to run your own URL shortening service. It is designed to empower users with full control over their data, providing a self-hosted alternative to third-party services.
- **Pluriversal URL Resolution**: YOURLS supports multiple plugins and filters to customize the URL resolution process.
- **Golden Scars**: The codebase contains legacy procedural code (`includes/functions-*.php`) intermixed with modern object-oriented paradigms. These represent historical evolution and native logic that is preserved for functionality and compatibility rather than homogenized into abstract patterns.
This is the core YOURLS repository. A PHP-based URL shortener.
Glossary:
- `includes/`: Core functional components
- `tests/`: PHPUnit testing suite
- `scripts/`: Centralized utility scripts
- `composer.json`: PHP dependency manifest

## TIER 2: Architecture Topology Map
- **Core Engine**: The `includes/` directory contains the foundational logic.
- **API Interface**: `yourls-api.php` acts as the primary API endpoint.
- **Database Interaction**: Aura SQL is utilized for robust database queries.
- **Plugin System**: `user/plugins/` allows for extensive customization via hooks (`yourls_add_filter`, `yourls_do_action`).
- **Frontend**: Basic PHP/HTML templates
- **API**: `yourls-api.php`
- **Storage**: MySQL via Aura/SQL
- **Plugins**: Hook-driven architecture

## TIER 3: CI/CD Pipeline Cartograph
The project relies on PHPUnit for testing, configured via `phpunit.xml.dist`. Tests are located in the `tests/` directory. Dependencies are managed via Composer (`composer.json`). The pipeline mandates successful execution of all unit tests to maintain structural integrity.
- Relies on basic PHPUnit execution (`phpunit`) locally.
- Vendor generation via Composer scripts (`post-update-cmd`).

## TIER 4: Dependency Matrix & Entropy Audit
- **PHP**: Core language constraint.
- **Aura SQL**: Essential for database abstraction.
- **Composer**: Dependency manager.
- **Entropy Assessment**: Legacy HTML generation functions (`includes/functions-html.php`) exhibit tight coupling, necessitating careful abstraction when integrating modern components. The `extract()` function has been removed from `yourls_html_head_output` to reduce entropy and variable overriding vulnerabilities.
- Strict pinned dependencies in `composer.json`
- `aura/sql` pinned to `^5.0` to support PHP 8.3 environments.
- Extension dependencies securely pinned to explicit PHP versions or library constraints.

## TIER 5: Operational Runbook & Cultural Artifacts Log
- **Prune-First Protocol**: Actively enforced to maintain repository hygiene, centralizing stray scripts into `scripts/`.
- **Testing Standard**: PHP 8 Attributes are used for PHPUnit annotations.
- **Vulnerability Mitigation**: The `yourls_maybe_unserialize` function now implements `allowed_classes` via filter to prevent object injection while preserving backward compatibility. JSONP endpoints enforce strict `Content-Type: application/javascript` headers prior to outputting data to mitigate XSS vectors.
- **Root Hygiene**: Strictly enforced. Non-standard utility scripts (`test_composer.php`, `run_test.php`, etc) are routed to `scripts/`.
- **Golden Scars**: `config.platform.php` override was removed as it forced `^8.4` dependency structures incompatible with local test matrices.
17 changes: 4 additions & 13 deletions includes/vendor/aura/sql/CHANGELOG.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion includes/vendor/aura/sql/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion includes/vendor/aura/sql/codecov.yml

This file was deleted.

2 changes: 1 addition & 1 deletion includes/vendor/aura/sql/composer.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 4 additions & 14 deletions includes/vendor/aura/sql/docs/getting-started.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 1 addition & 21 deletions includes/vendor/aura/sql/docs/upgrade.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading