The "Without Composer" pre-built library package is compiled with the dev dependencies, exposing Production website to possible issue due unused zombies PHP packages.
The packaging need to run composer install --no-dev
.
From the README.txt:
Without Composer:
- Download the pre-built library package:
https://github.com/thinkshout/mailchimp-api-php/files/710410/v1.0.6-pack...- Extract the library archive to libraries/mailchimp
- Ensure the directory structure looks like this:
- libraries/
- mailchimp/
- src/
- Mailchimp.php
- MailchimpAPIException.php
- MailchimpCampaigns.php
- MailchimpLists.php
- MailchimpReports.php
- MailchimpTemplates.php
- vendor/
- autoload.php
- composer/
- guzzlehttp/
- psr/
- composer.json
- README.md
But the vendor folder currently is:
- vendor/
- autoload.php
- bin
- composer
- doctrine
- guzzlehttp
- phpdocumentor
- phpspec
- phpunit
- psr
- sebastian
- symfony
- webmozart
Comments
Comment #2
gambryI don't think there is anything the community can do at this point, beside this is a potential BIG security issue so I'm moving this ticket directly to RTBC in order for the maintainer of the library to either update the package compiler or provide a different way for without-composer website to run the library smoothly.
Comment #3
Greg BoggsThis is the wrong queue for the mailchimp PHP Wrapper. The queue is here: https://github.com/thinkshout/mailchimp-api-php
Comment #4
ruscoe CreditAttribution: ruscoe at ThinkShout commentedYou're absolutely right - dev dependencies are not necessary in a packaged release.
Anyone who wants the dev dependencies will likely be comfortable using composer to get them.
The current release of the library now includes a package without dev dependencies.