Remove composer.lock from git export #228
Conversation
This is to avoid false positive as being sub-project with snyk monitor
| /.gitignore export-ignore | ||
| /.travis.yml export-ignore | ||
| /composer.lock export-ignore | ||
| /docs export-ignore |
There was a problem hiding this comment.
yes. I am:
This makes composer package contain only needed files:
- readme, license
- php source
you can always install --prefer-source to get all files, or browse online rest of the files. documentation in vendor did is not required for package to be used.
|
Hi @glensc when you setup this PHP SDK then during the installation composer.lock added to your directory, so you don't need to worry about it. Also it a module file so update during installation. So we don't need to remove it. |
|
@preetishishodia7 seems you totally missed the context. you have committed your project composer.lock to the project: now if I install your library, it will be present in vendor/sendinblue/api-v3-sdk/composer.lock now security scanner like snyk, sees the file and thinks it's another project to scan. this pr was adding the file to .gitattributes ignore, so when composer is installed with --prefe-dist, the filesendinblue/api-v3-sdk/composer.lock file will not be added to the .zip that composer downloads. besides, it's common practice to exclude files not relevant for using your project using .gitattributes, these include tests, and extra development files. |
|
HI @glensc thanks for explaining, will look into it. |
This is to avoid false-positive as being sub-project with
snyk monitor.This makes composer package contain only needed files: