Sperrobjekt Weblog

Only two days after I pushed the first version of my VersionEyeBundle for Symfony2 to GitHub, Fabien Potencier announced SensioLab's new Security Advisories Checker. This service work quite similar to VersionEye, but instead of uploading your composer.json file your composer.lock file is required to figure out which dependencies are really installed - and if there are any known security issues.

SensioLabs have an upload form in the browser, but conveniently offer an API, too. And, of course, the code of their security-checker is on GitHub. So what could be more natural than to add the results of the security check to the Web Profiler Toolbar right next to all the other useful information? Right. I wrote a second bundle, called VulnerabilitiesBundle, that displays security advisories in the toolbar and the profiler view.

Please keep in mind that this is an early development version that is only intended for use in DEV environments (even if it will be stable someday). It just doesn't make sense on production servers. Feel free to fork, test, and report any issues you encounter. Of course, contributions in the form of pull requests, are more than welcome

At last week's Webmontag Frankfurt (?), Robert Reiz talked about continuous updating of dependencies with VersionEye. VersionEye, in its own words, is a

cross-platform search engine and crowdsourcing app for open source software libraries.

Essentially, the service tracks more than 170.000 libraries in languages like Java, Ruby, PHP, Python, and many more, and monitors any updates to those libs. Registered users can keep track of their projects and the libraries used in these projects. If any updates occur upstream, VersionEye sends out a mail. As a developer, you don't have to manually check on all the GitHub repositories anymore, VersionEye does that for you.

VersionEye also allows you to create beautiful graphs like this one here on the right. It also lists all the licenses of all the libraries used in your project, an let's you see which libraries you use most often.

Using it with PHP

Adding a PHP project to the service couldn't be simpler (if you use Composer, which you should!): Just upload your composer.json to VersionEye, and you're all set up. The same goes for project files like package.json (node.js), requirement.txt (Python Package Index), pom.xml (Maven) or Ruby Gemfiles. You can also connect VersionEye to your GitHub account, and it will notify you of outdated dependencies in your repositories.

Robert also said that there already is a VersionEye module for ZF2 and the ZendDeveloperTools that calls the VersionEye JSON API to track dependencies. However, I could not find a Symfony2 bundle with this functionality. So I wrote one.

"VersionEyeBundle for Symfony2" vollständig lesen

Ich dachte, ich berichte mal wieder kurz von einem UG-Treffen in Mainz, dem einundzwanzigsten, wenn ich richtig mitgezählt habe. Inzwischen haben wir (die PHP User Group Rheinhessen) zwei Locations, sprich zwei Agenturen, bei denen wir uns im Wechsel treffen: netz98 und NIDAG. Diesmal waren wir wieder bei letzteren im Mainzer Zollhafen zu Gast (siehe Foto von Thomas).

Nils Adermann, einer der Entwickler von Composer, momentan dem Dependency Management-Tool für PHP schlechthin, stellte uns das Tool vor und beschrieb anschaulich, was man damit alles machen kann. Und das ist deutlich mehr, als es auf den ersten Blick scheint. Vielen Dank an Nils für diesen höchst interessanten Vortrag.

Im Anschluss gab's dann wie immer noch einen intensiven Erfahrungsaustausch über Composer und diverse andere Themen, die den Teilnehmern unter den Nägeln brannten. Dafür sind wir nach nebenan ins Schröder's umgezogen, wo es auch lecker zu essen und trinken gab. Vielen Dank an die NIDAG für die Räume, Nils für seinen Vortrag, und alle Teilnehmer fürs teilnehmen und mitmachen! Bis zum nächsten Mal!