PHPunit

[HartLarsson]

On the latest plugin there are tracks or phpunit codes in /vendor/smartsupp/php-partner-client/

PHPunit create avulnerabilty as explained here: https://build.prestashop.com/news/critical-security-vulnerability-in-prestashop-modules/

For security is not better to remove any phpunit tracks?

thanks

[marekgach]

@HartLarsson phpunit/phpunit is used only by dependencies (2 libs) and only in require-dev. I cannot see anything wrong about this setup.

In production and meaningful config you should not run composer install in dev mode.

Or I miss something?

[HartLarsson]

well usually PHPunit must not be present in dist version of any plugin/module because it is only need for testing (usually).

Because recently is found that phpunit create a big vulnerability if used (latest version seems patched), keep it on the dist version could create a hole in security.

The zip version downlodable contains PHPunit tracks, every user willd ownload that version and found inside something related to dev and not needed.

[marekgach]

@HartLarsson all usages of phpunit/phpunit are for require-dev which means NOT dist mode.

Current and I think all the versions of our plugin in marketplace are not having any phpunit files packed in plugin ZIP package. Also anyone using this plugin via composer will not have phpunit unless he will install it in dev mode, which is this users fault.

This is server admin / programmer fault if s/he will install this plugin via Composer on production in composer install way instead of composer install --no-dev.

Unless I miss something I cannot see we are doing anything incorrectly. We are following Composer principles and best practices. Correct me if I am wrong.

[marekgach]

@HartLarsson here it is how is explained in PHPUnit docs. If you find some link where there is different approach recommended for Prestashop plugins feel free to pass it and we can discuss it. Thanks!